[00:00.000 --> 00:03.580]  Welcome, DEF CON 28, the Do No Harm panel.
[00:03.580 --> 00:06.020]  This is a healthcare security conversation.
[00:06.140 --> 00:10.020]  And for the next 45 minutes, followed by a 45-minute Q&A,
[00:10.020 --> 00:12.120]  you're going to hear from some of the world's top experts
[00:12.120 --> 00:14.500]  on the healthcare cybersecurity space.
[00:14.540 --> 00:15.260]  Welcome.
[00:17.080 --> 00:18.040]  Thanks, Kwadi.
[00:18.120 --> 00:19.280]  I'm Replicant.
[00:19.280 --> 00:21.480]  We're going to get out of the way here in just a moment
[00:21.480 --> 00:23.480]  and introduce you to our panelists,
[00:23.480 --> 00:27.100]  but obviously a little bit different of a venue for us
[00:27.100 --> 00:28.320]  than the last couple of years.
[00:28.320 --> 00:30.920]  We hope that everyone is staying safe and healthy
[00:30.920 --> 00:32.480]  and we're thinking of you and look forward
[00:32.480 --> 00:35.360]  to when we can hang out together in person.
[00:35.740 --> 00:37.400]  Without any further ado,
[00:37.400 --> 00:40.500]  I'm going to let our panelists take it away and say hi.
[00:42.080 --> 00:43.140]  Hi, everyone.
[00:43.140 --> 00:44.380]  My name is Ash Luft.
[00:44.380 --> 00:47.680]  I am a biochemist, a computer scientist,
[00:47.680 --> 00:49.300]  and an electrical engineer.
[00:49.480 --> 00:51.720]  I work as a medical...
[00:51.720 --> 00:54.700]  I work at a medical device firm called Starfish in Canada,
[00:54.700 --> 00:57.140]  and I'm a software engineer there
[00:57.140 --> 01:00.600]  and an advocate for security and privacy.
[01:02.910 --> 01:04.820]  I think that means that I'm next.
[01:04.820 --> 01:07.740]  So I don't have a handle, unfortunately.
[01:07.740 --> 01:09.820]  So I am Jessica Wilkerson.
[01:09.820 --> 01:13.060]  I'm a cyber policy analyst with the Food and Drug Administration,
[01:13.060 --> 01:17.180]  and I work on cybersecurity policy there for medical devices.
[01:17.420 --> 01:19.760]  Some of you may know me from my previous time
[01:19.760 --> 01:22.220]  with the United States Congress Energy and Commerce Committee
[01:22.220 --> 01:25.880]  where I worked on cybersecurity policy for them.
[01:25.880 --> 01:27.480]  Very nice to talk with everyone.
[01:27.480 --> 01:28.360]  I'm looking forward to the panel.
[01:28.360 --> 01:29.260]  Thank you.
[01:33.040 --> 01:34.820]  Hi, this is Vi.
[01:34.820 --> 01:35.920]  Everyone should know me.
[01:35.920 --> 01:38.600]  The short, the sweet, the sassy, the spunky.
[01:38.840 --> 01:42.920]  I'm leaving my company for the wild fields in Norway
[01:42.920 --> 01:45.120]  where I'll be having a whole host of minions
[01:45.120 --> 01:47.520]  to help me do medical device research.
[01:47.520 --> 01:50.640]  Currently doing independent research for Medtronic,
[01:50.640 --> 01:52.180]  aiding them to get more visualization
[01:52.180 --> 01:54.800]  on their products and their security.
[01:54.880 --> 01:57.000]  I'm an advocate for patient rights
[01:57.000 --> 01:58.820]  as well as keeping things safe,
[01:59.960 --> 02:02.940]  keeping it simple, keeping it stupid, as I say.
[02:03.620 --> 02:06.100]  And that's me, short and sweet.
[02:07.860 --> 02:09.080]  And that leaves me.
[02:09.080 --> 02:10.720]  My name is Vidya Murthy.
[02:10.720 --> 02:12.480]  I work for MedCrypt,
[02:12.680 --> 02:15.600]  a startup in the space of bringing cybersecurity features
[02:15.600 --> 02:17.100]  to medical devices.
[02:17.220 --> 02:20.200]  I absolutely am passionate about the subject matter
[02:20.200 --> 02:23.920]  and think that we're at an inflection point here
[02:23.920 --> 02:25.960]  and there's going to be a big amount of change
[02:25.960 --> 02:27.480]  as we go forward.
[02:30.130 --> 02:32.410]  Well, on behalf of Claudia and myself,
[02:32.410 --> 02:33.750]  we are just so incredibly grateful
[02:33.750 --> 02:36.450]  to have an amazing panel this year.
[02:36.710 --> 02:39.290]  And for those of us who are joining us for the first time,
[02:39.290 --> 02:41.050]  and this is kind of one of the silver linings,
[02:41.050 --> 02:42.110]  I think, about this format,
[02:42.110 --> 02:43.390]  is that in past years,
[02:43.390 --> 02:44.970]  we've had folks who wanted to kind of get in
[02:44.970 --> 02:45.710]  on this conversation
[02:45.710 --> 02:47.690]  that weren't able to due to space constraints.
[02:47.690 --> 02:49.230]  So we're really thankful for the opportunity
[02:49.650 --> 02:51.510]  to have anybody who wants to come in,
[02:51.510 --> 02:54.110]  listen in and join with us to be able to do so.
[02:54.110 --> 02:56.190]  So for those who may not be familiar,
[02:56.190 --> 02:57.210]  what we're going to do is we're going to have
[02:57.290 --> 02:58.410]  a little conversation here
[02:59.510 --> 03:01.870]  between the four of these awesome panelists,
[03:01.870 --> 03:03.930]  and we're going to stay out of it as much as possible,
[03:03.930 --> 03:05.450]  but get their insights
[03:05.450 --> 03:08.130]  and kind of what their thought processes are
[03:08.130 --> 03:10.150]  and some of the things we've been seeing in the space lately.
[03:10.150 --> 03:11.550]  And then part of this session
[03:11.550 --> 03:14.930]  will be a live Q&A follow-up conversation afterwards.
[03:15.830 --> 03:19.010]  So we don't really have a formal set of questions
[03:19.010 --> 03:22.170]  like most of these kind of more rigid panels do,
[03:22.170 --> 03:24.130]  but I do want to kind of start off
[03:24.130 --> 03:25.510]  on a little bit of a brighter note.
[03:25.510 --> 03:26.430]  I think some of the times
[03:26.430 --> 03:29.290]  that we've had this event in past years,
[03:29.290 --> 03:31.810]  we spend about 45 minutes talking.
[03:31.830 --> 03:34.810]  The term dumpster fire comes up not infrequently.
[03:34.970 --> 03:36.950]  And then at the end, we try and push a little optimism
[03:36.950 --> 03:40.870]  because there really is a lot to be sort of hopeful about
[03:40.870 --> 03:43.130]  in large part because of the types of things
[03:43.130 --> 03:44.790]  that we're able to do at places like DEF CON.
[03:44.790 --> 03:47.790]  But I want to kind of start off this time upfront
[03:47.790 --> 03:49.650]  by asking each of our panelists,
[03:49.650 --> 03:52.250]  what are some developments lately
[03:52.250 --> 03:55.530]  that have helped make you feel particularly hopeful
[03:55.530 --> 03:57.110]  or optimistic about where we're heading
[03:57.110 --> 03:59.350]  in healthcare security before we get into some
[03:59.350 --> 04:00.950]  of the challenges that still remain?
[04:00.950 --> 04:03.310]  So kind of toss it back to our panel for us
[04:03.310 --> 04:05.470]  to get a little dose of optimism.
[04:06.650 --> 04:11.090]  Yeah, so I think looking at this year in particular,
[04:11.090 --> 04:13.990]  we've seen more and more devices going home with patients.
[04:13.990 --> 04:16.610]  We've seen hospitals go online in a way
[04:16.610 --> 04:20.670]  that they've never planned to in 10 years from now, right?
[04:20.670 --> 04:25.250]  And I think the notion that we can now build security
[04:25.250 --> 04:28.550]  into this and need to, to let patients have confidence
[04:28.550 --> 04:30.410]  in them operating from their homes,
[04:30.410 --> 04:32.990]  is something that seems to be top of mind for folks
[04:32.990 --> 04:34.610]  and actual common practice.
[04:34.610 --> 04:38.490]  So it feels like a confluence of various factors
[04:38.490 --> 04:41.510]  that are coming together at just the right moment.
[04:41.510 --> 04:43.850]  So we have this push of devices leaving the hospital.
[04:43.850 --> 04:46.690]  We have this push of device vendors
[04:46.690 --> 04:49.490]  really getting into the narrative more than ever before.
[04:49.490 --> 04:52.230]  And this collaboration like DEF CON brings together
[04:52.230 --> 04:56.550]  with researchers and devices themselves.
[04:56.550 --> 04:57.970]  And I just, I have a lot of hope
[04:57.970 --> 05:00.430]  that this year has the momentum behind it
[05:00.430 --> 05:02.790]  to really get this to stick and have the forces
[05:02.790 --> 05:05.450]  that are really gonna make this last in the future.
[05:09.560 --> 05:15.520]  Yeah, so I echo that, but I've also seen this big push,
[05:15.520 --> 05:17.120]  I find it past three years,
[05:17.120 --> 05:18.880]  where you could not even have a conversation
[05:18.880 --> 05:20.260]  with a manufacturer, right?
[05:20.260 --> 05:21.580]  It was a brick wall.
[05:21.580 --> 05:23.360]  This year we're having conversations.
[05:23.360 --> 05:25.580]  This year we invited to the table.
[05:25.840 --> 05:28.120]  Hackers are no longer the criminals
[05:28.120 --> 05:30.720]  that are lurking in the darkness.
[05:30.720 --> 05:32.080]  We've brought things to light.
[05:32.080 --> 05:34.460]  We're having difficult conversations,
[05:34.460 --> 05:35.840]  but we're having them.
[05:35.840 --> 05:38.240]  And I think that's a major push forward.
[05:38.240 --> 05:40.480]  But except for that, we now having developers
[05:40.480 --> 05:42.980]  and engineers think more security wise,
[05:42.980 --> 05:46.280]  we've started to change the cultures of working in silos
[05:46.820 --> 05:49.120]  to start working as a collective.
[05:49.320 --> 05:51.920]  And one example that I've seen is the way
[05:51.920 --> 05:54.680]  that the community is jumping with the 3D printing,
[05:54.680 --> 05:59.020]  PPE, mask making, supporting medical people
[05:59.020 --> 06:00.360]  where they can.
[06:00.360 --> 06:01.940]  And I mean, even the CTI league
[06:01.940 --> 06:04.120]  that's protecting hospitals around the globe
[06:05.420 --> 06:07.420]  from cyber criminals.
[06:07.460 --> 06:09.760]  I mean, that is just a collective pool of humanity
[06:09.760 --> 06:11.560]  showing that if we work together,
[06:11.560 --> 06:14.940]  we can change the world one button at a time.
[06:15.160 --> 06:17.120]  What do you think, Jessica?
[06:18.060 --> 06:20.060]  Oh, I like the prompt.
[06:20.940 --> 06:23.340]  I mean, I think I started working on
[06:23.340 --> 06:24.900]  healthcare cybersecurity issues,
[06:24.900 --> 06:28.500]  I think right around 2015, 2016 timeframe.
[06:28.520 --> 06:30.540]  And at that point, obviously I was working on them
[06:30.540 --> 06:32.620]  for the United States Congress.
[06:33.680 --> 06:36.320]  And it was just an entirely different conversation.
[06:36.320 --> 06:38.660]  I mean, the things that we were talking about,
[06:38.660 --> 06:40.580]  you know, like V had said about
[06:41.000 --> 06:42.780]  let's bring in security researchers,
[06:42.780 --> 06:44.700]  let's have them be part of the conversation.
[06:44.700 --> 06:47.660]  They have valuable experience and things to contribute.
[06:47.800 --> 06:49.340]  That was just such a non-starter.
[06:49.840 --> 06:51.060]  And you had all these manufacturers
[06:51.060 --> 06:53.640]  who absolutely were never going to do that.
[06:53.640 --> 06:55.540]  That was completely unacceptable.
[06:55.540 --> 06:57.920]  We are still, in some cases,
[06:57.920 --> 06:59.920]  getting asked for help by the manufacturers
[06:59.920 --> 07:03.540]  to essentially be like, can you make this problem go away?
[07:04.500 --> 07:06.580]  And there were just other policy issues,
[07:06.580 --> 07:09.060]  you know, that have come up over the years.
[07:09.280 --> 07:11.280]  I work a lot on legacy device issues.
[07:11.280 --> 07:14.100]  I work a lot on software transparency issues.
[07:15.120 --> 07:18.820]  And they always started out as, this is never going to happen.
[07:18.820 --> 07:20.100]  We're never going to be able to do this.
[07:20.100 --> 07:22.200]  The industry will never accept this.
[07:22.460 --> 07:26.660]  And in 2020, it's completely different.
[07:26.660 --> 07:28.260]  I work on those issues every day.
[07:28.260 --> 07:30.540]  They are starting to be operationalized.
[07:30.680 --> 07:33.440]  Security researchers are a huge part of medical device
[07:33.440 --> 07:35.560]  and healthcare cybersecurity overall.
[07:36.000 --> 07:38.120]  And we've just really made so much progress.
[07:38.540 --> 07:41.120]  And we've made the progress in such a way
[07:41.120 --> 07:43.000]  that it has its own momentum now.
[07:43.000 --> 07:44.660]  It's going to carry itself through.
[07:44.660 --> 07:46.800]  And I just think that that really can't be overstated
[07:46.800 --> 07:48.060]  how valuable that is.
[07:50.040 --> 07:52.620]  Yeah, so I agree with what everyone said.
[07:52.640 --> 07:57.180]  I would say that I think one of the biggest things
[07:57.180 --> 07:59.880]  I've noticed in the last five, 10 years is the people.
[08:00.080 --> 08:03.520]  So community and like the number of people sort of coming together.
[08:03.520 --> 08:05.320]  There seems to be lots of different groups
[08:05.320 --> 08:06.980]  and organizations popping up,
[08:06.980 --> 08:10.420]  like even the last couple of years, advocacy groups,
[08:10.420 --> 08:11.860]  people working together.
[08:12.140 --> 08:13.860]  Yeah, medical device manufacturers.
[08:13.860 --> 08:16.460]  I mean, even when I, you know, five years ago
[08:17.040 --> 08:18.600]  started having these conversations
[08:18.600 --> 08:21.980]  and asking questions about security and privacy,
[08:21.980 --> 08:24.260]  it was harder to find other people
[08:24.260 --> 08:27.540]  to even have a discussion with about these things.
[08:27.540 --> 08:30.480]  And now it just seems like there's this momentum
[08:30.480 --> 08:32.520]  that's really building and the number of people
[08:32.520 --> 08:36.320]  are just getting who are engaged and want to make a difference
[08:36.320 --> 08:38.860]  and want to be a part of the conversation is growing.
[08:38.860 --> 08:40.800]  And I see that as a huge positive thing
[08:40.800 --> 08:42.660]  because realistically, like the more people
[08:42.660 --> 08:45.920]  that we have participating in the conversation,
[08:45.920 --> 08:49.860]  the more action that we're going to be able to take sooner and faster.
[08:51.620 --> 08:54.600]  Yeah, I think one of the big things also
[08:54.600 --> 08:57.280]  is we've seen physicians coming to the table
[08:57.760 --> 08:59.980]  and wanting to learn more about the devices
[08:59.980 --> 09:02.900]  they have and work with, right?
[09:02.900 --> 09:06.420]  It's not just the security people driving it or policy driving.
[09:06.420 --> 09:09.120]  And I think the healthcare industry has come back into a bang
[09:09.120 --> 09:13.020]  and saying, how can we make this better for our patients?
[09:13.220 --> 09:14.900]  Because in the end, I think every physician
[09:14.900 --> 09:18.340]  wants to make it safer for their patients.
[09:19.020 --> 09:21.640]  And that's a big thing for me that I've seen this year
[09:21.640 --> 09:24.240]  is the physicians coming to the table saying,
[09:24.240 --> 09:26.000]  well, how can we learn more?
[09:26.480 --> 09:33.360]  How do we translate this to our patients in a way that they understand?
[09:36.020 --> 09:37.960]  Yeah, yeah, I think that...
[09:38.520 --> 09:40.940]  I love conference calls.
[09:40.940 --> 09:45.240]  I was going to say, you know, I'd really...
[09:45.240 --> 09:46.940]  I'd echo that because I think, you know,
[09:46.940 --> 09:49.980]  even going beyond patients and things,
[09:49.980 --> 09:54.720]  one of the things that my boss is really quite insistent on,
[09:54.720 --> 09:58.260]  and you probably all know Suzanne Schwartz one way or another,
[09:58.260 --> 10:02.000]  is the shared responsibility of the healthcare sector,
[10:02.000 --> 10:05.100]  where, you know, even we are the Food and Drug Administration.
[10:05.100 --> 10:06.340]  We can only do so much.
[10:06.340 --> 10:09.000]  We have jurisdiction over the medical device.
[10:09.000 --> 10:10.920]  We don't have jurisdiction over hospital networks.
[10:10.920 --> 10:15.680]  We don't have jurisdiction over other parts of it that, you know,
[10:15.680 --> 10:19.740]  sometimes that are certainly implicated in cybersecurity concerns.
[10:19.820 --> 10:27.240]  And so, you know, there's traditionally been a very fraught relationship between,
[10:27.240 --> 10:31.000]  for example, medical device manufacturers and healthcare delivery organizations,
[10:31.000 --> 10:33.360]  so hospitals and others.
[10:33.500 --> 10:37.080]  And what I've started to see and have personally experienced
[10:37.080 --> 10:40.780]  over the last couple of years is a greater and greater breakdown
[10:40.780 --> 10:43.200]  of the barriers between those two groups.
[10:43.200 --> 10:46.760]  So with some of the partnership groups that exist,
[10:46.760 --> 10:50.320]  I spend a lot of time working with the Healthcare Sector Coordinating Council.
[10:50.320 --> 10:54.020]  For example, you have hospital CISOs who are on the phone every day
[10:54.020 --> 10:57.080]  with global product security officers at medical device companies,
[10:57.080 --> 10:59.480]  and they're just having conversations.
[10:59.480 --> 11:00.900]  I mean, sometimes they're just shooting the shit,
[11:00.900 --> 11:03.580]  and sometimes they're actually talking about work stuff.
[11:03.580 --> 11:08.280]  Those relationships being there and being already established
[11:09.080 --> 11:10.580]  are just so meaningful.
[11:10.580 --> 11:14.400]  It allows the progress in the sector to be made so much faster
[11:14.400 --> 11:16.640]  and problems to be addressed so much quicker.
[11:16.780 --> 11:19.340]  And so I would echo what V said about, you know,
[11:19.340 --> 11:22.340]  we're having almost new entrants into the conversation
[11:22.920 --> 11:25.580]  that's letting the conversation really take off.
[11:26.780 --> 11:28.260]  I just want to say...
[11:28.260 --> 11:30.900]  Sorry. Go ahead, Christian.
[11:30.900 --> 11:33.300]  I just want to say these are all fantastic insights,
[11:33.300 --> 11:37.880]  and I love to hear the optimism around how the conversation's changed,
[11:37.880 --> 11:40.540]  because every year when we have this event,
[11:40.540 --> 11:45.780]  we undoubtedly have to talk about an event that's happened during the year,
[11:45.780 --> 11:47.320]  you know, whether or not it's WannaCry,
[11:47.320 --> 11:49.740]  or whether or not it's a security researcher
[11:49.740 --> 11:53.420]  that's been shunned or threatened by a device manufacturer.
[11:53.420 --> 11:55.820]  And for, I think I can say this is the first year
[11:55.820 --> 11:59.560]  where I have not been publicly aware of such an event.
[11:59.560 --> 12:03.140]  And so I think that's really proof to what everyone's saying here
[12:03.140 --> 12:09.060]  is at least part of the interaction with hackers has changed.
[12:09.060 --> 12:11.980]  Now, whether or not that'll stick or whether or not this is just an off year,
[12:11.980 --> 12:13.220]  I think we'll have to see.
[12:13.220 --> 12:16.160]  But when we have strong partners in this space,
[12:16.160 --> 12:18.440]  you know, hackers coming together with health organizations
[12:18.440 --> 12:23.560]  and device manufacturers welcoming their collaboration,
[12:23.560 --> 12:24.760]  everyone wins.
[12:24.760 --> 12:28.400]  And that's really what makes patients safer at the end of the day.
[12:28.540 --> 12:30.700]  I wanted to just also say, though,
[12:30.920 --> 12:36.500]  a lot of what was discussed is optimism around this is a great year.
[12:36.540 --> 12:38.400]  It's also a horrible year.
[12:38.400 --> 12:41.600]  COVID, like 2020 is one I would love to forget.
[12:41.600 --> 12:45.440]  There are so many things about this year that have absolutely sucked.
[12:45.860 --> 12:49.480]  One of the things that's been voiced to me by a variety of people is,
[12:49.480 --> 12:51.940]  you know, how is COVID going to impact this?
[12:51.940 --> 12:54.440]  You know, how is COVID going to impact hackers,
[12:54.440 --> 12:57.180]  security researchers, security professionals,
[12:57.180 --> 13:00.420]  and the momentum that we have made?
[13:00.720 --> 13:03.400]  Because there's legitimate concern, I feel,
[13:03.400 --> 13:07.000]  that, you know, a lot of security work,
[13:07.060 --> 13:10.280]  a lot of securing these types of spaces costs money,
[13:10.280 --> 13:12.920]  and how a lot of that money is being sucked
[13:12.920 --> 13:16.900]  from what would be security budgets into responding to COVID.
[13:16.960 --> 13:22.060]  And as a consequence, do people here think we're going to see a regression?
[13:22.060 --> 13:23.600]  You know, we've made 10 steps forward.
[13:23.600 --> 13:28.620]  Are we going to go five steps back because COVID really stopped it,
[13:28.620 --> 13:29.460]  stopped the momentum?
[13:29.460 --> 13:31.180]  Love to hear your guys' thoughts.
[13:32.660 --> 13:35.040]  So I'll start.
[13:35.040 --> 13:36.160]  Sorry, Vidya.
[13:36.920 --> 13:39.940]  I think it's broken the perimeter, right?
[13:39.940 --> 13:44.820]  It's forced us to pull up our socks, right?
[13:44.820 --> 13:48.900]  The healthcare perimeter is now no longer within your hospital.
[13:48.900 --> 13:52.640]  You have patients at varied areas and everything is different.
[13:53.070 --> 13:58.380]  But I don't necessarily think taking 10 steps back is a bad thing, right?
[13:58.380 --> 14:03.740]  This year has given us time to assess, time to view the healthcare scene,
[14:03.740 --> 14:05.180]  the medical device scene.
[14:05.180 --> 14:09.440]  And if anything, force us to slow down and observe
[14:11.180 --> 14:15.120]  and just take note of what's happening, right?
[14:15.120 --> 14:18.680]  I see hospitals crumbling up underneath a pandemic,
[14:18.680 --> 14:24.400]  which is something that their function is to care for patients.
[14:24.440 --> 14:29.520]  And we see that even the biggest hospitals are struggling
[14:30.460 --> 14:35.760]  and that perhaps we just need to take a step back and rebuild.
[14:36.400 --> 14:39.680]  Maybe 2021 could be the year that we build things better
[14:39.680 --> 14:42.540]  instead of trying to slap a Band-Aid on.
[14:42.540 --> 14:45.000]  We do things right and we do things better.
[14:46.560 --> 14:48.400]  From the ground up.
[14:49.740 --> 14:53.420]  Yeah, I love that notion of taking the time to rebuild.
[14:53.420 --> 14:58.620]  I mean, we've seen where healthcare facilities have already been compromised
[14:58.620 --> 15:03.500]  before they saw their first patient as part of trying to meet the need for COVID.
[15:03.780 --> 15:06.800]  One of the things I worry about is, in some sense,
[15:06.800 --> 15:10.700]  I think there's this urgency from a clinical perspective to get devices out to patients
[15:10.700 --> 15:14.140]  and kind of solve some of the medical problems.
[15:14.400 --> 15:19.340]  Has that resulted in these devices having security measures
[15:19.340 --> 15:23.320]  that were intentionally not so robustly built in from the beginning
[15:23.320 --> 15:25.920]  just so they could get out and treat these patients?
[15:25.920 --> 15:28.760]  And what do you do now, right? Can you walk that back?
[15:28.760 --> 15:30.720]  Can you say, hey, give all those devices back to us?
[15:30.720 --> 15:32.660]  We don't want to necessarily see it.
[15:32.660 --> 15:37.640]  So I think your point of needing to build from the beginning is absolutely heard,
[15:37.640 --> 15:43.560]  but I wonder if you're realistically able to call pause on the care that's already out there.
[15:44.420 --> 15:48.740]  I don't know. I mean, I always refer to it as the legacy problem, right?
[15:48.760 --> 15:51.820]  Literally, it's a sea of devices out there.
[15:51.820 --> 15:55.520]  And I mean, if you look at the number of devices out there every year,
[15:55.520 --> 16:00.120]  it just increases exponentially. I mean, the maths blows my head.
[16:00.120 --> 16:04.280]  I sat in it the other day knowing, well, how do we solve this?
[16:05.020 --> 16:09.700]  And I think one of the solutions is to do things going better forward, right?
[16:09.700 --> 16:16.640]  Is not to introduce new devices with the same flaws and the same vulnerabilities and adding to our problem.
[16:16.680 --> 16:22.960]  Because those devices, if you take an ICD, for example, can last an excess of a decade.
[16:23.040 --> 16:32.860]  If that's 600,000 devices implanted a year, lasting 10 years, it is an ocean that you're trying to boil.
[16:33.540 --> 16:38.980]  You can't necessarily say to someone, hey, I need to catheterize your device because it's got a flaw in.
[16:38.980 --> 16:42.620]  My device has got a flaw in that I'm fully aware of.
[16:43.140 --> 16:50.240]  But what are the options? I have to go for 10 years with this device until it's made better.
[16:50.460 --> 16:56.320]  But these devices were not built with a security as a functional requirement.
[16:56.740 --> 16:58.520]  It's a clinical requirement.
[16:58.520 --> 17:06.580]  And I think if we start shifting and start building and designing with security in mind, we can start addressing the problem forward.
[17:06.580 --> 17:14.580]  In terms of the legacy problem, I actually don't know how to boil that ocean, to be honest with you.
[17:16.940 --> 17:19.560]  Yeah, I like what everyone is saying.
[17:19.560 --> 17:27.260]  I like the idea of being able to rebuild and taking a step back to think about how we want to solve some of these problems.
[17:27.260 --> 17:30.060]  I think that in practice, it's really hard.
[17:30.060 --> 17:47.320]  Again, with the clinical, looking at the clinical perspective, like right now, we're working on trying to create a massive number of respirators and ventilators in a short period of time and make them safe and make them functional.
[17:49.940 --> 17:55.180]  If it costs more and it takes more time to add the security, it's hard to make the argument.
[17:56.620 --> 17:57.940]  What's more important?
[17:57.940 --> 18:07.060]  If people are dying and it's literally minutes, hours makes a difference between life or death and you can get one more ventilator into a room,
[18:07.060 --> 18:18.880]  if it took an extra two day, even day to add security, let's just say for the sake of this problem, is that worth it?
[18:18.880 --> 18:23.520]  Whose lives should we sacrifice to add the security?
[18:23.520 --> 18:26.180]  And like, it's tough.
[18:26.180 --> 18:31.760]  I don't know how we can sort of push for that and where to draw the line in practice.
[18:32.080 --> 18:33.760]  It's a bad thing.
[18:34.920 --> 18:35.960]  Sorry, Jessica.
[18:36.400 --> 18:44.080]  No, no, I was just going to say, you know, I think the way that we've certainly experienced it at FDA is we're doing things in parallel.
[18:44.140 --> 18:56.380]  So I have been very blessed in my time at FDA not to have been fully pulled into the COVID response, but I'm still 100% on cybersecurity.
[18:56.380 --> 19:10.320]  And essentially what that's allowed us to do is while, you know, a significant portion of the agency is all in on COVID and figuring out what they need to do and doing some of the things exactly what you all are saying, getting devices to patients who need them.
[19:10.440 --> 19:16.020]  We also still have a very dedicated team at FDA looking at cybersecurity.
[19:16.560 --> 19:24.500]  And another thing that I was really lucky when I came into FDA, I think everybody, you know, elementary school feels like a bajillion years ago.
[19:24.500 --> 19:30.720]  But, you know, like you'd like walked into elementary school and there's that one person there who's just like, you're like, we're going to be best friends.
[19:30.720 --> 19:32.820]  We're going to do great things together.
[19:33.100 --> 19:38.040]  For those of you who have not met Matt Hazlett, he probably is like sick of me talking about him.
[19:38.040 --> 19:40.280]  But anyway, Matt Hazlett is great.
[19:40.280 --> 19:48.420]  And he is the essentially the one of the leads at FDA for doing cybersecurity reviews of devices as they come in.
[19:48.420 --> 20:03.380]  And so at the same time that all of this is going on with COVID, what Matt and his team within the device review office at FDA have really started doing is they're getting tighter and tighter and tighter and tighter at looking at exactly what you all are saying.
[20:03.380 --> 20:09.080]  We're learning so many lessons from deployed devices about vulnerabilities that are showing up.
[20:09.080 --> 20:16.720]  We're learning so much about what manufacturers maybe aren't doing on the front end that are causing problems on the back end.
[20:16.720 --> 20:21.220]  And what Matt and his team have really been able to do is they're taking all of those things,
[20:21.220 --> 20:23.700]  they're taking the vulnerabilities that are showing up in post-market,
[20:23.700 --> 20:31.820]  they're taking the missing pieces of the process, the gaps in the process in the development of medical devices,
[20:31.820 --> 20:35.560]  and they're putting that into the pre-market review process where they're essentially saying,
[20:35.560 --> 20:42.880]  okay, we are learning every day how to get better at reviewing devices and they're implementing it.
[20:42.880 --> 20:57.380]  So I think while we're certainly seeing issues or there's just this very valid urgency about getting devices out where they need to be,
[20:57.940 --> 21:06.440]  we also still have this very robust mechanism at FDA in particular for making sure that anything that we're learning,
[21:06.440 --> 21:11.560]  anything that's coming up with regard to cybersecurity is actually making it back into our process.
[21:15.590 --> 21:19.890]  Yeah, which the one thing I would say, I think that the financial, which was the original question, right?
[21:19.890 --> 21:23.210]  What's the financial drain going to have an impact on these devices?
[21:23.210 --> 21:25.730]  I think that's exactly, there's almost a compliment there, right?
[21:25.730 --> 21:33.590]  If we can get the financial decisions to be informed by what the pre-market is telling us in terms of meeting certain security requirements
[21:33.590 --> 21:38.770]  and really having that be key criteria and decisions and not just, no offense to the clinicians,
[21:38.770 --> 21:41.970]  the clinician really likes this one brand and that's what they're going with.
[21:41.970 --> 21:47.370]  Having it be part of that core decision, I think absolutely will drive that change.
[21:48.730 --> 21:55.710]  My only decision about whether or not I use a device is how many 5G microchips I can inject into a patient.
[21:56.010 --> 21:57.930]  Wait, does it have to say AI in it?
[21:58.550 --> 22:02.150]  No, that's the blockchain version. That's 4G.
[22:02.210 --> 22:07.170]  This is being recorded, man. That is going to be clipped. That is going to be taken out of context.
[22:07.170 --> 22:10.390]  It's going to be viral on Twitter in the next couple of days.
[22:10.810 --> 22:14.610]  And we're going to hear about how doctors are part of the 5G conspiracy.
[22:14.610 --> 22:17.510]  So, strong work on that one.
[22:18.010 --> 22:20.430]  Yeah, well done.
[22:20.670 --> 22:22.550]  What I did want to ask, right?
[22:22.550 --> 22:28.210]  So I'm going to turn it, I want to ask Christian and Jeff a question, seeing as we're being grilled here.
[22:28.690 --> 22:31.110]  You as clinicians, right?
[22:31.430 --> 22:35.230]  When you are making a decision for your patient, right?
[22:35.230 --> 22:39.190]  You know, security versus clinical functionality.
[22:39.430 --> 22:41.010]  How do you do that balancing act?
[22:41.010 --> 22:46.290]  Because you guys are unfortunate as physicians to have your feet on both walls.
[22:46.370 --> 22:49.170]  So from your perspective, how do you balance it out?
[22:49.170 --> 22:52.450]  How do you work it out in your mind?
[22:52.450 --> 22:57.470]  Because for us, it is security first and foremost and patient care.
[22:57.470 --> 23:00.010]  But we almost move from a security perspective.
[23:00.010 --> 23:02.850]  I've been a patient. I've seen that side.
[23:02.850 --> 23:08.290]  But I'm quite keen to hear from your side what your perspective on it is.
[23:09.250 --> 23:11.430]  Yeah, that's a great question.
[23:11.470 --> 23:21.830]  And I think that COVID is really starkly forcing us to understand and choose between some of these seemingly opposite goals.
[23:21.830 --> 23:28.010]  In medicine, we frequently have to weigh multiple different pros cons for any particular treatment or situation.
[23:28.010 --> 23:33.450]  A patient may need anesthesia for a procedure, but they're also very tenuous from a cardiovascular standpoint.
[23:33.450 --> 23:36.970]  So what's more dangerous, not getting the procedure or putting them under anesthesia?
[23:36.970 --> 23:41.950]  And so oftentimes you have to say, well, we need to take both into account simultaneously.
[23:42.110 --> 23:48.750]  And the points that we've made about the necessity and the urgency of the situation are absolutely correct.
[23:48.750 --> 23:55.630]  When we're in the ICU or in the OR, dealing with these patients, security is not at the forefront of our mind.
[23:55.630 --> 24:00.590]  What technology do we need to achieve the physiologic goals we have for that particular patient?
[24:00.610 --> 24:05.170]  When we go home and we talk to people like you, and we're able to put it on our hacker and security researcher hat,
[24:05.170 --> 24:11.830]  obviously we start to be able to understand and conceptualize the consequences of some of the downstream effects.
[24:11.830 --> 24:15.390]  So it is a complete balancing act 100% of the time.
[24:15.390 --> 24:19.770]  Anybody who tells you they have a perfect formula for that answer is lying to you.
[24:19.770 --> 24:25.230]  The thing that's been somewhat reassuring to me is we have had conversations with people that we work with
[24:25.230 --> 24:30.270]  in our hospitals and elsewhere, where they understand that you kind of have to shoot for both.
[24:30.350 --> 24:36.790]  And in some of our institutions, I've had people say from the disaster and emergency management side of things,
[24:36.790 --> 24:39.750]  hey, we're gaming out the COVID response and going on that right now.
[24:39.750 --> 24:47.370]  But we want to fold a security information infrastructure exercise into that as well.
[24:47.370 --> 24:53.530]  Understanding that some of these events, whether it's UCSF and the ransomware issue,
[24:53.530 --> 24:58.410]  or some of the hospitals in the Czech Republic who have been hit during this period,
[24:58.410 --> 25:02.990]  the underlying assumption that people are now realizing is that you need a stable infrastructure
[25:02.990 --> 25:10.250]  and good devices to be able to treat patients and have the best outcomes in a crisis situation like this.
[25:10.250 --> 25:15.030]  So deficiencies on the security side only hinder your ability to achieve your main mission.
[25:15.030 --> 25:18.770]  And so it's less of then a shunting of resources from one to the other.
[25:18.770 --> 25:22.350]  And then how can we maximally benefit both of those aspects?
[25:22.550 --> 25:26.570]  Which is never perfect, but it's a better way of thinking about it than a trade-off.
[25:27.610 --> 25:29.270]  Yeah, I just completely echo that.
[25:29.270 --> 25:34.470]  Like one of my nightmare scenarios is treating a hospital full of COVID patients
[25:34.470 --> 25:39.770]  where the ICUs are overflowing and then getting hit with ransomware, for example.
[25:39.770 --> 25:47.970]  So what little bandwidth we have left to handle the surge, to treat the patients as best we can,
[25:47.970 --> 25:53.530]  goes out the window when the digital tools we use, whether or not it's the electronic health record
[25:53.530 --> 25:58.990]  or connected medical devices or all of the above, would be impacted by an attack.
[25:58.990 --> 26:04.730]  And so it's not just maybe a little bit of impact to patient care.
[26:04.730 --> 26:06.770]  It's going to be huge.
[26:06.770 --> 26:09.970]  And one of the things we all like to talk about, and I think we all know in this space,
[26:09.970 --> 26:14.610]  is just how dependent doctors are on connected medical technology.
[26:14.610 --> 26:20.950]  Doctors, nurses, technicians, modern healthcare is exceptionally connected, hyper-connected, if you will.
[26:21.130 --> 26:27.670]  And a lot of doctors, you've heard us say this many times, Jeff and myself included,
[26:27.670 --> 26:30.330]  we haven't worked on paper charts.
[26:30.870 --> 26:37.050]  We've never had light boxes where we pull up a CT scan that's printed on something
[26:37.050 --> 26:38.650]  and put it up against a wall to read it.
[26:38.650 --> 26:43.250]  We've always accessed those through workstations and PAC system software.
[26:43.350 --> 26:49.570]  So you take what we're trained on, this digital infrastructure, this connected, vulnerable infrastructure,
[26:49.570 --> 26:56.050]  and you add a pandemic on top of it, and then you take away the tools that we're used to using,
[26:56.050 --> 26:57.910]  undoubtedly patients would suffer.
[26:57.910 --> 27:00.650]  So that one-two punch is definitely something very concerning.
[27:00.650 --> 27:06.350]  To the heart of your question, which is how do we as clinicians make that trade-off
[27:06.350 --> 27:13.030]  or decision about, here's a more secure device, but it has less clinical utility or functionality
[27:13.030 --> 27:17.370]  compared to this more secure device, etc.
[27:17.370 --> 27:18.630]  So how do we make that trade-off?
[27:18.630 --> 27:27.210]  Honestly, looking straight into the camera, it's really hard to even have any bearing on that decision.
[27:27.210 --> 27:32.270]  So a lot of the devices that we use every day in clinical practice, we don't choose.
[27:32.590 --> 27:36.630]  We show up to the hospital and there are monitors that are there
[27:36.630 --> 27:41.030]  because they made that purchasing decision five, ten years ago.
[27:41.030 --> 27:46.290]  When you train to become a doctor, you may train for four or five years
[27:46.290 --> 27:51.970]  on a particular set of medical devices that you're going to implant, a particular brand.
[27:51.970 --> 27:54.070]  You become familiar with that.
[27:54.070 --> 27:56.170]  And so what do you do when you get out of practice?
[27:56.170 --> 27:58.230]  You use the exact same one.
[27:58.270 --> 28:04.250]  And so, believe it or not, there's much less time to reflect
[28:04.250 --> 28:08.270]  and much less ability than most people believe for us to pick
[28:08.270 --> 28:13.070]  which devices we use in clinical practice and to make that decision.
[28:13.110 --> 28:17.990]  With that being said, we're trying to educate other doctors on this.
[28:17.990 --> 28:21.670]  And when we do, like Jeff mentioned, they care.
[28:21.670 --> 28:23.370]  They want their patients to be safer.
[28:23.370 --> 28:25.210]  They want to use secure medical devices.
[28:25.210 --> 28:27.470]  They don't want their patient's health information
[28:27.470 --> 28:29.170]  or even their health to be at risk.
[28:29.170 --> 28:32.910]  So we have sympathetic ears from the clinicians.
[28:32.930 --> 28:37.010]  We just lack the ability to make it easy for them.
[28:37.010 --> 28:40.350]  What you don't want is your doctor to have to go to, you know,
[28:40.350 --> 28:42.250]  14 years to train to be a doctor
[28:42.250 --> 28:46.450]  and then go and have to take another year or two of cybersecurity coursework
[28:46.450 --> 28:48.330]  or whatever to become competent.
[28:48.330 --> 28:51.270]  You really have to make it easy for them to make the right decision
[28:51.270 --> 28:55.650]  and convince them that they should tell other people
[28:55.650 --> 28:58.190]  in their hospital and other doctors that it's important.
[28:59.110 --> 29:02.230]  I think to that point, that's maybe a misperception
[29:02.230 --> 29:05.450]  that the expectation is that everyone in this supply chain
[29:05.450 --> 29:07.550]  has to become a cybersecurity expert.
[29:07.550 --> 29:10.550]  I think maybe that's a fatal flaw in how we think about solving this
[29:10.550 --> 29:14.170]  is if we need to sufficiently educate individuals
[29:15.570 --> 29:19.370]  by having them... you're not a medical device practitioner
[29:19.370 --> 29:21.790]  but hey, I can teach you all about cybersecurity here.
[29:22.110 --> 29:26.030]  It's really hard to think that you can sufficiently educate folks
[29:26.030 --> 29:27.650]  that this isn't their core competency on.
[29:27.650 --> 29:31.390]  Not to say they can't have some level of understanding what the impact is.
[29:31.390 --> 29:34.770]  And I think making it tangible for their work stream or function
[29:34.770 --> 29:37.570]  or whatever the case may be is the perfect way to do that.
[29:37.570 --> 29:41.810]  But I would love to hear kind of the thought around
[29:41.810 --> 29:45.610]  how we think about leveraging those who are experts
[29:45.610 --> 29:47.410]  and not necessarily trying to solve it ourselves
[29:47.410 --> 29:48.670]  and going at it alone.
[29:48.670 --> 29:50.530]  Because I think that's probably a fatal flaw
[29:50.530 --> 29:53.350]  and has caused some of the historical challenge
[29:53.350 --> 29:55.250]  that you're talking about when you inherit a hospital
[29:55.250 --> 29:57.510]  full of devices that you didn't pick.
[29:58.490 --> 30:02.830]  And surely as well, like Jeff was saying,
[30:03.570 --> 30:06.270]  normally physicians are used to sort of having to balance
[30:06.950 --> 30:08.930]  different pros and cons and different requirements
[30:08.930 --> 30:12.490]  to make the best medical choice for each patient.
[30:13.070 --> 30:16.130]  But I think historically, maybe they weren't even aware
[30:16.130 --> 30:18.730]  that this is one of the things they need to consider.
[30:18.730 --> 30:22.050]  So even just how can we raise awareness
[30:22.690 --> 30:24.750]  and just in the consciousness that,
[30:24.750 --> 30:26.510]  oh, that's something that I need to consider
[30:26.510 --> 30:27.630]  even if I'm not an expert.
[30:27.630 --> 30:29.550]  Maybe I can have an expert on hand
[30:29.550 --> 30:32.190]  or I can read a rating for a device
[30:32.190 --> 30:34.170]  and make a decision somehow that way.
[30:34.310 --> 30:35.670]  You know, what kind of solutions are there
[30:36.670 --> 30:38.330]  moving forward in that direction?
[30:39.890 --> 30:41.930]  So I've actually spent some time
[30:42.410 --> 30:44.290]  working a lot with the cardiologists
[30:44.290 --> 30:46.610]  and their technicians in South Africa
[30:46.610 --> 30:49.810]  trying to just have the discussion.
[30:49.810 --> 30:52.650]  And I had a phone call from my cardiologist
[30:52.650 --> 30:55.610]  saying, we've had a recall of devices.
[30:55.850 --> 30:58.290]  I need to explant a device,
[30:58.290 --> 31:01.170]  but I don't know how to explain it to my patient.
[31:01.170 --> 31:03.330]  I don't even sufficiently understand
[31:03.330 --> 31:06.330]  the engineering tool on the document.
[31:06.330 --> 31:07.870]  Can you translate?
[31:08.070 --> 31:10.590]  So I think the big thing is we are using
[31:10.590 --> 31:13.230]  our language, our linguistics,
[31:13.870 --> 31:15.870]  instead of making it familiar
[31:16.670 --> 31:19.830]  to the medical practitioners.
[31:19.830 --> 31:21.570]  And I think there should be that portion
[31:21.570 --> 31:24.310]  in the hospital that does that translation.
[31:24.730 --> 31:26.310]  Because I can tell you
[31:26.310 --> 31:28.310]  that was a very difficult conversation
[31:28.310 --> 31:30.490]  having with a 65-year-old lady
[31:30.490 --> 31:33.150]  that doesn't understand technology.
[31:33.250 --> 31:34.690]  I mean, the doctor didn't even
[31:34.690 --> 31:38.190]  sufficiently understand why he had to explant
[31:38.190 --> 31:40.650]  the device that was just being recalled.
[31:42.290 --> 31:44.250]  And that's the unfortunate thing
[31:44.250 --> 31:47.210]  is they are expected to make these decisions.
[31:47.210 --> 31:50.430]  And as he says, he has a patient coming in.
[31:50.430 --> 31:52.790]  His blood pressure is high.
[31:52.790 --> 31:55.590]  He needs to adjust the ICD and the pacemaker.
[31:55.690 --> 31:56.950]  What he doesn't tell him
[31:56.950 --> 31:59.210]  is that his wife cooked a high-sodium meal
[31:59.210 --> 32:01.310]  which affected his blood pressure.
[32:01.310 --> 32:02.730]  And a week later, he comes back
[32:02.730 --> 32:04.230]  because he's having issues.
[32:05.930 --> 32:08.290]  Therapy has changed significantly.
[32:08.290 --> 32:09.930]  So those are the challenges
[32:09.930 --> 32:12.390]  they deal with having to solve
[32:12.390 --> 32:14.350]  the clinical puzzles.
[32:14.430 --> 32:15.350]  And I think adding
[32:15.350 --> 32:18.350]  the technical stuff on top of it
[32:18.350 --> 32:20.530]  especially using terminology
[32:20.530 --> 32:21.710]  they don't understand
[32:22.270 --> 32:24.730]  is where we've been going wrong.
[32:25.070 --> 32:26.410]  We should be finding ways
[32:26.410 --> 32:28.970]  to translate it better for them.
[32:29.670 --> 32:32.470]  I think that's a failure
[32:32.470 --> 32:34.270]  overall of how
[32:34.270 --> 32:36.750]  we've designed not only
[32:36.750 --> 32:38.770]  medical devices, but how we do cybersecurity
[32:38.770 --> 32:41.250]  overall. So many times
[32:41.250 --> 32:42.790]  if somebody gets hacked
[32:42.790 --> 32:44.810]  or whatever, it's their fault.
[32:44.810 --> 32:46.690]  Setting aside corporations who get
[32:47.330 --> 32:48.190]  DDoSed or whatever
[32:48.190 --> 32:50.650]  and claim to have been a victim of a sophisticated
[32:50.650 --> 32:52.890]  cyber attack, there are times
[32:52.890 --> 32:54.370]  when people get hit by something
[32:54.370 --> 32:56.350]  and it really wasn't their fault.
[32:56.350 --> 32:57.610]  There were so many different things
[32:57.610 --> 33:00.150]  that have been expected to know.
[33:00.570 --> 33:02.090]  And I think something
[33:02.790 --> 33:04.070]  a professor once said to me
[33:04.930 --> 33:06.190]  stuck with me. We were talking
[33:06.190 --> 33:08.410]  about this whole thing about people are just so dumb
[33:08.410 --> 33:10.830]  about cyber. Why can't they just be better?
[33:10.850 --> 33:12.010]  He's like, yeah, and all those people
[33:12.010 --> 33:13.990]  who are driving Ford Pintas, what the hell
[33:13.990 --> 33:16.670]  were they thinking letting their cars blow up?
[33:18.190 --> 33:20.390]  And I think that that's kind of the way
[33:20.390 --> 33:22.090]  that was sort of a lightbulb moment for me
[33:22.090 --> 33:24.410]  of being like, oh, we have
[33:24.410 --> 33:26.250]  to design devices that don't blow
[33:26.250 --> 33:27.770]  up in people's faces.
[33:28.110 --> 33:30.070]  We have to make it as easy
[33:30.070 --> 33:31.110]  as humanly possible
[33:31.110 --> 33:33.150]  to do
[33:33.150 --> 33:35.210]  something securely. Doing something
[33:35.210 --> 33:37.490]  securely needs to be the easiest thing.
[33:37.490 --> 33:39.310]  And if doing something securely is the most
[33:39.310 --> 33:41.490]  difficult thing, that's not the fault
[33:41.490 --> 33:43.390]  of the user who then didn't do the
[33:43.390 --> 33:45.330]  secure thing. That is the fault of the designer
[33:45.850 --> 33:47.730]  who made the device poorly.
[33:47.730 --> 33:49.370]  And so I think we've
[33:49.370 --> 33:51.430]  gotten away with, frankly, in a lot of
[33:51.430 --> 33:53.470]  cases, being really lazy
[33:53.470 --> 33:55.370]  and offloading the responsibility
[33:55.370 --> 33:57.310]  onto other people. And I think
[33:57.310 --> 33:59.130]  what we have to do, especially
[33:59.130 --> 34:01.310]  within the healthcare sector, is all parts of it
[34:01.310 --> 34:03.430]  we have to sort of reclaim
[34:03.430 --> 34:05.430]  the responsibility that has been ours
[34:05.430 --> 34:07.250]  all along and actually
[34:07.250 --> 34:09.630]  really do what we need to do.
[34:10.570 --> 34:11.210]  Yeah, I mean,
[34:11.210 --> 34:13.110]  the responsibility, I'm very big,
[34:13.110 --> 34:15.110]  the responsibility to build these things
[34:15.110 --> 34:18.010]  better is the manufacturers.
[34:18.170 --> 34:19.290]  Right? They're the
[34:19.290 --> 34:21.070]  ones that have the control
[34:21.070 --> 34:23.070]  over the firmware and the hardware.
[34:23.070 --> 34:25.170]  We shouldn't be pointing the finger at the hospital
[34:25.170 --> 34:27.310]  saying, hey, your device
[34:27.310 --> 34:29.430]  your network got hacked because you have vulnerable
[34:29.430 --> 34:31.510]  devices. Well,
[34:31.510 --> 34:33.770]  those should have been built better.
[34:34.930 --> 34:35.490]  Right?
[34:35.650 --> 34:37.450]  Because now we're leading, we're in
[34:37.450 --> 34:39.690]  the industry now where we're putting Band-Aids on.
[34:39.690 --> 34:41.390]  Right? The vulnerability is disclosed.
[34:41.390 --> 34:43.490]  Now we have to run and we're always on the back
[34:43.490 --> 34:45.150]  foot fixing stuff.
[34:45.250 --> 34:47.590]  But the manufacturers should be stepping up
[34:47.590 --> 34:49.430]  and should be doing a better
[34:49.430 --> 34:51.330]  job at this.
[34:51.490 --> 34:52.950]  I completely agree.
[34:54.510 --> 34:55.390]  I completely
[34:55.390 --> 34:57.550]  agree. There's a lot that the device
[34:57.550 --> 34:59.650]  manufacturers can
[34:59.650 --> 35:01.590]  do, should do, and I think some
[35:01.590 --> 35:03.370]  of them have been doing.
[35:03.630 --> 35:05.550]  But there's also a key
[35:05.550 --> 35:07.490]  important thing. They can't control it
[35:07.490 --> 35:09.530]  once it's deployed. So if
[35:09.530 --> 35:11.670]  they're deploying a
[35:12.710 --> 35:13.890]  somewhat secure medical
[35:13.890 --> 35:15.690]  device on an unsecured network, or
[35:15.690 --> 35:17.750]  if they're turning off security controls
[35:17.750 --> 35:20.830]  for sake of ease of
[35:20.830 --> 35:22.210]  integrating into their clinical
[35:22.210 --> 35:23.490]  environment, or if they're not
[35:23.490 --> 35:25.470]  patching critical systems around these
[35:25.470 --> 35:27.490]  medical devices, there's
[35:27.490 --> 35:29.550]  some shared responsibility there, and I think
[35:29.550 --> 35:31.470]  that's really important, is that
[35:31.470 --> 35:33.890]  we need to be having not only a strong
[35:33.890 --> 35:35.510]  conversation with device
[35:35.510 --> 35:38.070]  manufacturers, they do the right thing from the start,
[35:38.070 --> 35:39.430]  but we need to be able to be
[35:39.430 --> 35:41.590]  giving hospitals the
[35:41.590 --> 35:43.590]  appropriate resources, education, and
[35:43.590 --> 35:44.670]  holding them accountable
[35:45.350 --> 35:47.470]  when there's something egregious.
[35:47.470 --> 35:49.110]  Now, I don't think they should be
[35:49.450 --> 35:51.350]  asked to solve the issues
[35:51.350 --> 35:53.270]  of insecure medical devices because
[35:53.270 --> 35:55.450]  they just can't. But we've
[35:55.450 --> 35:57.490]  seen time and time again some pretty
[35:57.490 --> 35:59.250]  horrible security practices
[35:59.250 --> 36:01.370]  by healthcare institutions that
[36:01.370 --> 36:03.810]  have nothing to do with medical device manufacturers,
[36:03.810 --> 36:05.390]  but yet still could have patient
[36:05.390 --> 36:07.450]  safety implications. Things like
[36:07.450 --> 36:09.430]  all the denial of service attacks we see,
[36:09.430 --> 36:11.150]  the ransomware attacks,
[36:11.150 --> 36:13.110]  the theft, I mean, it's not just critical
[36:13.750 --> 36:15.770]  healthcare infrastructure like hospitals,
[36:15.770 --> 36:17.410]  we've been seeing attacks on
[36:17.410 --> 36:19.510]  research. So I'm sure people
[36:19.510 --> 36:21.670]  have seen in the news, and I think Jeff mentioned,
[36:21.670 --> 36:23.470]  ransomware attacks on critical
[36:23.470 --> 36:25.870]  medical research infrastructure,
[36:25.870 --> 36:27.710]  state-sponsored attacks on
[36:27.710 --> 36:28.650]  COVID
[36:29.670 --> 36:31.470]  research and vaccine
[36:31.470 --> 36:33.490]  trials data.
[36:33.490 --> 36:35.690]  So we have to have a
[36:35.690 --> 36:37.890]  shared responsibility. This is a whole
[36:37.890 --> 36:39.710]  ecosystem. It's really trying to figure out
[36:40.650 --> 36:42.070]  what's the best bang for
[36:42.070 --> 36:44.230]  our buck. And I feel like a lot of the
[36:44.230 --> 36:46.410]  conversations focus around medical devices
[36:46.510 --> 36:47.450]  because it's a much easier thing
[36:47.450 --> 36:49.450]  to tackle than trying to go to
[36:50.050 --> 36:51.630]  a rural access hospital
[36:51.630 --> 36:53.470]  in South Dakota and
[36:53.470 --> 36:55.470]  fixing their broken network.
[36:55.470 --> 36:57.330]  And then being able to monitor that and
[36:57.330 --> 36:59.450]  continually say, how are you going
[36:59.450 --> 37:00.970]  to secure
[37:00.970 --> 37:03.290]  every hospital and
[37:03.290 --> 37:05.310]  clinic and doctor's office in the entire
[37:05.310 --> 37:07.470]  United States? That's a much harder
[37:07.470 --> 37:08.730]  problem.
[37:08.850 --> 37:11.750]  But I...
[37:11.750 --> 37:13.630]  Can I go?
[37:14.710 --> 37:15.810]  Oh, that's it.
[37:15.810 --> 37:17.230]  I'd like to...
[37:17.910 --> 37:19.030]  Sorry.
[37:19.350 --> 37:21.650]  I just wanted to say, right, it's not just
[37:21.830 --> 37:23.510]  a United States problem, right?
[37:23.510 --> 37:25.910]  It's a global problem.
[37:26.050 --> 37:27.730]  You know, hate to be the one
[37:27.730 --> 37:29.830]  to point it, but this is
[37:30.210 --> 37:32.170]  a big problem everywhere.
[37:32.170 --> 37:33.570]  And I know everyone
[37:33.570 --> 37:35.530]  on here is from the US. I'm the only
[37:35.530 --> 37:37.110]  oddball after this.
[37:37.110 --> 37:38.270]  I'm from Canada.
[37:39.650 --> 37:41.870]  I don't feel so alone.
[37:41.970 --> 37:43.890]  But the thing is just
[37:43.890 --> 37:45.870]  every hospital is different,
[37:45.870 --> 37:47.830]  right? There's no
[37:47.830 --> 37:50.590]  cookie cutter way of looking at the problem.
[37:50.770 --> 37:52.010]  Every hospital network
[37:52.010 --> 37:54.030]  is different. And I think sometimes
[37:54.030 --> 37:55.790]  what we forget is the patient
[37:55.790 --> 37:57.890]  record systems. Like,
[37:57.890 --> 37:59.970]  I never used to consider it.
[37:59.970 --> 38:01.850]  But then I sat back and thought from the
[38:01.850 --> 38:03.790]  cyber criminal perspective, it is the
[38:03.790 --> 38:05.790]  ultimate identity thing. It's the
[38:05.790 --> 38:08.350]  thing that you can keep selling constantly.
[38:08.390 --> 38:09.790]  And it's often the thing
[38:09.790 --> 38:11.730]  that's least protected. Because
[38:11.730 --> 38:13.890]  we're focusing so much on medical devices,
[38:13.890 --> 38:15.710]  we've forgotten what a treasure trove
[38:15.710 --> 38:17.670]  that holds. And I mean,
[38:17.670 --> 38:19.430]  that's moving to the cloud.
[38:20.210 --> 38:21.610]  So, you know, Microsoft
[38:21.610 --> 38:23.830]  is one of the big proponents that's moving
[38:23.830 --> 38:25.710]  everything now to the cloud in terms
[38:25.710 --> 38:27.650]  of patient records and
[38:27.650 --> 38:29.410]  clinical systems.
[38:29.770 --> 38:31.730]  So I'd be interested to see how the smaller
[38:31.730 --> 38:33.650]  hospitals are actually going to be able to
[38:33.650 --> 38:35.230]  cope with having to do
[38:35.230 --> 38:37.510]  you know, perimeterless
[38:37.510 --> 38:39.630]  defenses, you know,
[38:39.630 --> 38:41.410]  zero trust networks, or
[38:41.410 --> 38:43.290]  even cloud solutions.
[38:43.770 --> 38:45.590]  Because I think the big
[38:45.590 --> 38:48.410]  hospitals like Mayo might be fine.
[38:48.430 --> 38:49.470]  But you have the smaller
[38:49.470 --> 38:51.290]  rural hospitals that
[38:51.290 --> 38:53.650]  I don't even know if they have IT
[38:53.650 --> 38:55.830]  or security on the premises.
[38:55.930 --> 38:57.690]  Or whether they're paying someone, a third
[38:57.690 --> 38:59.890]  party, to do the solution for them.
[39:01.390 --> 39:02.990]  Yeah, I'd like...
[39:02.990 --> 39:04.950]  Go ahead. You go first. Okay.
[39:04.950 --> 39:07.590]  I wanted to go back to the topic of
[39:07.590 --> 39:08.690]  responsibility.
[39:09.530 --> 39:11.610]  And I would have to echo
[39:11.610 --> 39:13.430]  with Christian. I think the...
[39:13.430 --> 39:15.610]  I think it is a shared responsibility.
[39:15.670 --> 39:17.650]  Obviously, I think that, you know,
[39:17.650 --> 39:19.530]  I work for a medical device manufacturer.
[39:19.530 --> 39:22.070]  I'm a software... an embedded software engineer.
[39:22.390 --> 39:23.990]  I think about these things.
[39:23.990 --> 39:25.530]  I want to make sure that I'm doing
[39:25.530 --> 39:27.230]  my part to build really secure
[39:27.230 --> 39:29.430]  and awesome, safe
[39:29.930 --> 39:31.650]  products for end users. I care
[39:31.770 --> 39:32.810]  a lot about that.
[39:33.490 --> 39:35.610]  But I think it's easy to blame
[39:35.610 --> 39:37.730]  manufacturers, and it's often
[39:37.730 --> 39:39.570]  more complicated. Again, it's this balancing
[39:39.570 --> 39:41.650]  act. So, I work for
[39:42.110 --> 39:43.970]  a medical device manufacturer that's a
[39:43.970 --> 39:45.770]  consulting firm. So we don't have any of our own
[39:45.770 --> 39:47.850]  in-house products. We have people who
[39:47.850 --> 39:49.950]  come to us, and we have clients, and
[39:49.950 --> 39:52.010]  you know, some of them are
[39:52.010 --> 39:54.570]  business people, and some of them are other
[39:54.570 --> 39:55.870]  medical device manufacturers
[39:55.870 --> 39:57.610]  that subcontract to us.
[39:57.610 --> 39:59.950]  But we have a lot of people who are just
[39:59.950 --> 40:01.890]  doctors, and clinicians, and other people
[40:01.890 --> 40:03.570]  who are really passionate about saving
[40:03.570 --> 40:05.510]  lives. And they come to us, and they're like,
[40:05.510 --> 40:06.670]  we have this idea.
[40:07.370 --> 40:09.150]  We see this gap.
[40:09.450 --> 40:11.570]  We desperately want to help our patients.
[40:11.610 --> 40:13.610]  Please help us build this. We have this
[40:13.610 --> 40:15.530]  tiny, tiny budget. We only
[40:15.530 --> 40:17.210]  have this amount of time to do it in because
[40:17.210 --> 40:19.450]  we got this little budget from these people, but
[40:19.450 --> 40:21.530]  they say we have to get it done by this time.
[40:21.530 --> 40:23.350]  And we were
[40:23.350 --> 40:25.210]  working really, really hard to try to meet
[40:25.210 --> 40:27.150]  all these deadlines and actually make this
[40:27.150 --> 40:29.790]  little device that, you know,
[40:29.790 --> 40:31.390]  if we can give it to those doctors, it
[40:31.390 --> 40:33.170]  might save lives.
[40:33.450 --> 40:35.410]  And then for, you know, for us
[40:35.410 --> 40:37.710]  to come in and try to say, like,
[40:37.710 --> 40:39.410]  oh, we have to add all
[40:39.410 --> 40:41.410]  of these security things, and, you know, maybe
[40:41.410 --> 40:43.370]  it's going to affect the
[40:43.370 --> 40:45.530]  budget. It's going to affect the timeline. And,
[40:45.530 --> 40:47.610]  you know, again, I care about these things.
[40:47.610 --> 40:49.450]  I'm in there. I'm advocating for this
[40:49.450 --> 40:50.690]  stuff. But it's hard
[40:51.590 --> 40:53.370]  to say, you know, if you only have this
[40:53.370 --> 40:55.830]  much budget, and it's...
[40:55.830 --> 40:57.270]  how do you choose? How do you tell
[40:57.270 --> 40:59.510]  them, okay, you shouldn't...
[40:59.510 --> 41:01.450]  we just aren't going to be able to make this and
[41:01.450 --> 41:03.490]  implement this part of security, like,
[41:03.490 --> 41:05.250]  where to draw the line. I think it's...
[41:05.250 --> 41:07.310]  I think it's more complicated
[41:07.310 --> 41:09.590]  and harder, like,
[41:09.590 --> 41:10.750]  in practice.
[41:11.070 --> 41:13.430]  And it's hard to just say, well,
[41:13.430 --> 41:15.310]  the medical device manufacturer
[41:15.310 --> 41:15.830]  should
[41:17.490 --> 41:18.890]  just do it.
[41:19.830 --> 41:21.670]  You know, how do you make that choice?
[41:23.330 --> 41:25.510]  I actually want to add to that story.
[41:25.510 --> 41:27.490]  So I started working with Medtronic.
[41:27.490 --> 41:29.610]  And I'm a hard ass. Everyone knows
[41:29.610 --> 41:31.510]  that I say a bunch of things
[41:31.510 --> 41:33.570]  three years ago. Cool came out
[41:33.570 --> 41:35.430]  because I was unhappy with how
[41:35.430 --> 41:38.010]  our conversation went, because we had a
[41:38.710 --> 41:40.150]  legal situation.
[41:40.150 --> 41:41.370]  And I started
[41:41.370 --> 41:43.490]  the first six months of my project
[41:44.670 --> 41:45.650]  listening and
[41:45.650 --> 41:47.690]  getting to know the developers and the
[41:48.010 --> 41:49.930]  software, firmware engineers
[41:49.930 --> 41:52.110]  and the hardware engineers.
[41:52.110 --> 41:53.530]  And I sat back
[41:53.530 --> 41:55.190]  and listened and realized that
[41:55.190 --> 41:57.110]  these are real people that are wanting
[41:57.110 --> 41:59.230]  to make a real difference. Really,
[41:59.230 --> 42:00.930]  they are. And
[42:00.930 --> 42:03.190]  one of the specific engineers, Rob
[42:03.190 --> 42:05.150]  Maslow, had a big impact on my
[42:05.150 --> 42:07.150]  life because he said to me,
[42:07.150 --> 42:09.110]  he said, tell me what you want on your device. Tell
[42:09.110 --> 42:11.170]  me all the security you want.
[42:11.350 --> 42:13.130]  Get to the list to me and let's
[42:13.130 --> 42:15.030]  discuss this. And he turned around
[42:15.030 --> 42:17.090]  and said to me, well, so you're getting a new
[42:17.090 --> 42:19.110]  device every three years, right?
[42:19.250 --> 42:21.150]  And I said to him, well, no, there's no
[42:21.150 --> 42:23.290]  fucking way that I'm doing that to myself.
[42:23.290 --> 42:25.110]  And he's like, well, then you can't have
[42:25.110 --> 42:27.470]  all of that. He says there's
[42:27.470 --> 42:29.370]  trade-offs for everything.
[42:29.470 --> 42:31.330]  So, specifically with
[42:31.330 --> 42:33.290]  embedded implanted devices,
[42:33.290 --> 42:35.730]  the more security you add,
[42:35.730 --> 42:37.310]  the less lifetime
[42:37.310 --> 42:38.990]  you'll have on your battery.
[42:39.230 --> 42:41.050]  Because I can tell you the one thing that
[42:41.050 --> 42:43.290]  is worth gold is
[42:43.290 --> 42:44.990]  how long your device lasts
[42:44.990 --> 42:47.170]  because it is a horrible thing
[42:47.170 --> 42:49.230]  to cut out. And I don't know if you
[42:49.230 --> 42:51.190]  guys know, but the more you cut it
[42:51.190 --> 42:53.330]  out, the more scar tissue
[42:53.330 --> 42:55.330]  forms, and the
[42:55.330 --> 42:57.690]  worse it gets, right?
[42:57.950 --> 42:59.350]  I've had my device
[42:59.350 --> 43:01.330]  since 19. I wouldn't be
[43:01.330 --> 43:03.310]  here without it. So, people building
[43:03.310 --> 43:05.350]  these things, I would be dead.
[43:05.350 --> 43:07.550]  I had two weeks left to live. That was
[43:07.550 --> 43:09.350]  the serious situation.
[43:10.210 --> 43:11.270]  So, I think
[43:11.270 --> 43:13.270]  sometimes we want all the
[43:13.270 --> 43:15.190]  security in the world, but we
[43:15.190 --> 43:17.290]  don't realize there's trade-offs.
[43:17.890 --> 43:19.470]  These devices are
[43:19.470 --> 43:21.470]  there to save lives. And if we
[43:21.470 --> 43:23.510]  try and push security too much, there's
[43:23.710 --> 43:25.250]  a whole lot of set of devices
[43:25.250 --> 43:27.190]  that will never come to market
[43:27.830 --> 43:29.910]  and they will never save lives.
[43:29.910 --> 43:31.470]  And that's one big lesson that
[43:31.470 --> 43:33.690]  I had to learn and I had to have humble pie
[43:33.690 --> 43:35.330]  and I had to swallow
[43:35.330 --> 43:37.250]  my words and realize that
[43:37.250 --> 43:39.330]  you know, there's people
[43:39.330 --> 43:41.410]  behind this wanting to make a difference with
[43:41.410 --> 43:43.350]  technology and science. And without
[43:43.350 --> 43:45.510]  that device,
[43:45.510 --> 43:47.270]  I wouldn't be here.
[43:47.790 --> 43:49.710]  I wouldn't have my kids.
[43:50.650 --> 43:51.450]  So, technology
[43:51.450 --> 43:53.230]  does save lives in ways.
[43:53.310 --> 43:55.110]  We must just find the perfect balance
[43:55.790 --> 43:57.810]  to balance everything out.
[43:58.270 --> 43:59.270]  And your perspective
[43:59.270 --> 44:01.530]  Vee, and
[44:01.530 --> 44:03.310]  folks like you, like
[44:03.310 --> 44:05.490]  Marie Mo, who have these incredible
[44:05.490 --> 44:07.510]  security backgrounds, but also our patients
[44:07.510 --> 44:09.190]  is so incredibly valuable
[44:09.190 --> 44:11.330]  to be able to consider these types
[44:11.330 --> 44:13.230]  of trade-offs in like a human person, right?
[44:13.230 --> 44:15.390]  In like a very real way. And one of the things
[44:15.390 --> 44:17.130]  that Christian and I are working on is
[44:17.130 --> 44:18.810]  how do we understand
[44:20.250 --> 44:21.410]  the role of the
[44:21.410 --> 44:23.330]  patient as a stakeholder in these types
[44:23.330 --> 44:24.470]  of conversations?
[44:26.010 --> 44:27.710]  And is there a
[44:27.710 --> 44:29.730]  utility in
[44:29.730 --> 44:31.490]  having those types of conversations with this
[44:31.490 --> 44:33.870]  60-year-old man who needs to get his pacemaker
[44:33.870 --> 44:35.950]  revised? Or is there
[44:35.950 --> 44:37.890]  a trade-off between the potential risk
[44:37.890 --> 44:40.270]  of a vulnerability being exploited and then
[44:40.270 --> 44:41.870]  putting him through that process of having
[44:41.870 --> 44:43.310]  it revised? And I think it highlights
[44:43.310 --> 44:45.490]  one of the things that Christian and I are so
[44:45.950 --> 44:47.490]  interested in is just developing
[44:47.690 --> 44:50.070]  a data and a
[44:50.070 --> 44:52.150]  science around this to be able to say
[44:52.150 --> 44:53.530]  in other types of medical therapies,
[44:53.530 --> 44:55.510]  we have very clear risks. You know, if I give you a
[44:55.510 --> 44:57.490]  blood transfusion, there's about a 1 in
[44:57.490 --> 44:59.650]  1.5 to 2 million chance that you might have an
[45:00.110 --> 45:01.670]  infection that's serious as a result
[45:01.670 --> 45:03.530]  of that or heart or
[45:03.530 --> 45:05.610]  lung issues. We really don't have the ability
[45:05.610 --> 45:07.570]  to have conversations with patients and say,
[45:07.570 --> 45:10.350]  this is the clear-cut risk because
[45:10.350 --> 45:11.350]  thankfully we haven't seen
[45:11.350 --> 45:12.870]  many incidents of issues
[45:13.470 --> 45:15.410]  and that doesn't mean that there's an absence of
[45:15.410 --> 45:17.370]  risk, but it makes it harder for us to have
[45:17.370 --> 45:19.390]  discussions with patients and say, really, this is the
[45:19.390 --> 45:21.390]  type of math that you have to weigh as
[45:21.550 --> 45:23.290]  a patient with your own values and preferences
[45:23.290 --> 45:25.450]  and things like that. And we've kind of done some
[45:25.450 --> 45:27.450]  work on touching on this idea of a cybersecurity
[45:27.450 --> 45:29.330]  informed consent to
[45:29.330 --> 45:31.670]  say, we talk about risks,
[45:31.670 --> 45:33.310]  you know, medical risks of surgeries
[45:33.310 --> 45:35.390]  and medications and things like that
[45:35.390 --> 45:37.230]  that they may be on. Should we start thinking about
[45:37.230 --> 45:39.290]  cybersecurity as a potential risk that should be
[45:39.290 --> 45:41.090]  included in this conversation
[45:41.630 --> 45:43.390]  a clinician has with a patient?
[45:44.650 --> 45:45.070]  And Jessica,
[45:45.070 --> 45:47.270]  I know the FDA is also really interested in
[45:47.270 --> 45:48.870]  this and you've had a lot of really cool outreach
[45:51.070 --> 45:51.510]  types
[45:51.510 --> 45:53.230]  of events to be able to talk to people
[45:53.230 --> 45:55.310]  like V. And I think it's that challenge of
[45:55.310 --> 45:57.470]  moving beyond people who are security literate
[45:57.470 --> 45:59.250]  to people who may not have heard about these
[45:59.250 --> 46:01.230]  issues whatsoever for as much as we talk about
[46:01.230 --> 46:03.430]  them and to be able to kind of have that
[46:03.430 --> 46:05.250]  enter the conversation so that they
[46:05.250 --> 46:07.130]  can, without having a background
[46:07.130 --> 46:08.550]  in cybersecurity, weigh that
[46:09.190 --> 46:11.350]  as part of their clinical process.
[46:12.370 --> 46:13.150]  Yeah, I mean,
[46:13.150 --> 46:14.970]  I think that there's a couple things that I would
[46:14.970 --> 46:16.970]  bring up on this. I mean, like, I think
[46:18.090 --> 46:18.970]  one, you know, you
[46:18.970 --> 46:21.210]  had mentioned that FDA has been doing a lot of
[46:21.210 --> 46:23.050]  this and I think V, you were actually at
[46:23.050 --> 46:24.610]  the October 2019
[46:25.070 --> 46:26.910]  meeting that we had the patient
[46:26.910 --> 46:28.910]  engagement advisory council
[46:28.910 --> 46:31.090]  meeting, the peak meeting. And
[46:31.090 --> 46:33.030]  so FDA is very much
[46:34.130 --> 46:35.050]  trying to make sure
[46:35.050 --> 46:37.410]  that the patient perspective is heard.
[46:38.230 --> 46:38.970]  And it's not
[46:38.970 --> 46:41.030]  just yearly meetings and things
[46:41.030 --> 46:42.950]  like that. As many of you know, Suzanne
[46:42.950 --> 46:44.970]  Schwartz is very approachable. You can pretty much get
[46:44.970 --> 46:46.890]  her email and email her and she'll
[46:46.890 --> 46:49.270]  find time to talk to you.
[46:50.770 --> 46:51.010]  So
[46:51.010 --> 46:52.870]  that is a really critical part of this
[46:52.870 --> 46:55.010]  because, not that
[46:55.010 --> 46:56.530]  all of you are going around reading
[46:57.250 --> 46:59.070]  government white papers and things,
[46:59.070 --> 47:00.870]  but a couple of years ago, the FDA
[47:00.870 --> 47:03.030]  put out this medical device safety action plan
[47:03.030 --> 47:04.830]  and sort of setting aside
[47:04.830 --> 47:07.170]  the flowery language that all government
[47:07.170 --> 47:09.210]  documents, I think, were like decreed
[47:09.210 --> 47:10.850]  that they must use.
[47:11.250 --> 47:13.310]  Essentially what it says is
[47:13.310 --> 47:15.310]  look, it's exactly
[47:15.310 --> 47:17.010]  this issue of balancing
[47:17.010 --> 47:18.530]  the idea that
[47:18.530 --> 47:21.650]  patient safety is a two-fold concern.
[47:21.650 --> 47:22.950]  Right? There's the concern
[47:22.950 --> 47:25.010]  that we all typically think about on
[47:25.010 --> 47:26.750]  cybersecurity. Is this device
[47:27.910 --> 47:29.130]  safe and effective
[47:29.130 --> 47:31.130]  enough to justify its use
[47:31.130 --> 47:32.990]  with the patient? There's also
[47:32.990 --> 47:34.610]  the flip side of that, though, of what
[47:34.610 --> 47:36.990]  Ash was talking about and what V was talking
[47:36.990 --> 47:37.850]  about in that
[47:38.810 --> 47:41.390]  what happens if the patient can't get the device?
[47:41.390 --> 47:43.030]  That is another... that's got to be
[47:43.210 --> 47:45.150]  a thing that gets considered, too.
[47:45.310 --> 47:47.450]  And so, you know, FDA...
[47:47.450 --> 47:49.090]  when we talk about cybersecurity,
[47:49.090 --> 47:51.210]  when we usually do it, we're very explicitly
[47:51.210 --> 47:53.170]  talking about, do you
[47:53.170 --> 47:54.990]  have security controls? Do you
[47:54.990 --> 47:57.050]  have sufficient whatever to make sure
[47:57.050 --> 47:58.810]  that the device is cybersecure?
[47:58.810 --> 48:00.770]  But a less talked about part of
[48:00.770 --> 48:02.990]  the work, but that is equally important,
[48:02.990 --> 48:05.030]  is this idea that we recognize
[48:05.030 --> 48:07.050]  that sometimes devices
[48:07.050 --> 48:08.410]  need to get to patients
[48:08.950 --> 48:10.810]  because of the benefit that they're going
[48:10.810 --> 48:12.890]  to be able to provide. And maybe we don't have
[48:12.890 --> 48:14.810]  as much information. Maybe we don't have
[48:14.810 --> 48:16.750]  as much assurance of
[48:18.030 --> 48:18.850]  the things that
[48:18.850 --> 48:20.570]  we would like to. But, you know, this is the
[48:20.570 --> 48:22.630]  Breakthrough Device Program. This is some of these other
[48:22.630 --> 48:24.790]  investigational devices that come
[48:24.790 --> 48:26.650]  up and that FDA has specific
[48:26.650 --> 48:28.490]  categories for and authorities for
[48:28.490 --> 48:30.670]  things that you can do this. And it's exactly
[48:30.670 --> 48:32.730]  this recognition that
[48:32.730 --> 48:35.190]  the other folks on the panel are pointing out,
[48:35.190 --> 48:36.650]  which is that, in some cases,
[48:36.650 --> 48:38.670]  not having access to a device can
[48:38.670 --> 48:40.910]  be as big of a risk as having access to a
[48:40.910 --> 48:43.670]  device that isn't secure enough. And so,
[48:43.670 --> 48:45.090]  you know, I think that it is just an important
[48:45.090 --> 48:47.070]  point to highlight and, you know, that
[48:47.070 --> 48:48.890]  we as an agency keep in mind, but
[48:48.890 --> 48:50.730]  that this community,
[48:50.730 --> 48:52.670]  in addition, also keeps in mind
[48:52.670 --> 48:54.970]  as we have these kinds of conversations.
[48:57.570 --> 48:58.630]  All right, I want to
[48:58.630 --> 49:00.630]  change this. Oh, can I...
[49:00.630 --> 49:02.110]  I'm going to change the subject real quick
[49:02.110 --> 49:04.250]  because I heard a rumor
[49:05.030 --> 49:06.570]  there are thousands
[49:06.570 --> 49:08.370]  of hackers watching
[49:08.370 --> 49:10.470]  this stream right now. There are
[49:10.470 --> 49:12.290]  literally thousands of hackers
[49:12.290 --> 49:14.730]  from across the globe watching,
[49:14.730 --> 49:15.930]  you know,
[49:16.870 --> 49:17.350]  very
[49:18.730 --> 49:20.590]  interested in what we're talking about. And I'm
[49:20.590 --> 49:22.470]  sure they're thinking to themselves, wow, there
[49:22.470 --> 49:24.410]  are a lot of issues here I might not have been
[49:24.410 --> 49:26.330]  aware of anymore and they want to get involved.
[49:26.330 --> 49:28.390]  So, hackers out there wanting to get
[49:28.390 --> 49:30.190]  involved in this space, you know, how
[49:31.010 --> 49:32.630]  does... we've heard some examples,
[49:32.630 --> 49:34.550]  you know, there's been a
[49:34.550 --> 49:36.670]  group of hackers that have tried to defend
[49:36.670 --> 49:38.470]  hospitals against attackers
[49:38.930 --> 49:40.570]  during COVID. There are
[49:40.570 --> 49:42.410]  hackers printing protective
[49:43.230 --> 49:44.530]  equipment for doctors on the
[49:44.530 --> 49:46.970]  front line, etc., nurses.
[49:46.970 --> 49:48.410]  But, like, what's the next generation
[49:48.410 --> 49:50.990]  of this, right? Like, when the pandemic's done,
[49:50.990 --> 49:52.250]  how do hackers play a role in
[49:52.250 --> 49:54.290]  this space? Continuing
[49:54.290 --> 49:56.510]  doing research, is it bug bounties?
[49:56.510 --> 49:58.910]  You know, should a hospital have a bug bounty?
[49:58.910 --> 50:00.270]  Should a device manufacturer have
[50:00.390 --> 50:02.170]  a bug bounty? How does HIPAA
[50:02.170 --> 50:04.310]  play into that? You know,
[50:04.310 --> 50:06.630]  the protection of patient information.
[50:06.850 --> 50:07.950]  How do we really
[50:07.950 --> 50:10.950]  kind of bring hackers more into this space?
[50:16.330 --> 50:18.510]  Okay, I'm going to jump in, yeah.
[50:19.550 --> 50:20.690]  I have a
[50:20.690 --> 50:22.590]  dream and I have a dream with a friend of mine,
[50:22.590 --> 50:24.330]  you know. We want
[50:24.330 --> 50:26.330]  to establish a
[50:27.290 --> 50:28.750]  laboratory setup with
[50:28.750 --> 50:30.550]  devices, right? That
[50:30.550 --> 50:32.570]  people can actually do research on,
[50:32.570 --> 50:34.450]  that we can put on networks, that
[50:34.450 --> 50:36.450]  we can scan
[50:36.450 --> 50:38.510]  for vulnerabilities, that we can
[50:38.510 --> 50:40.810]  reverse engineer, that we can work with
[50:40.810 --> 50:43.510]  manufacturers to make better.
[50:43.510 --> 50:44.530]  I always see
[50:44.530 --> 50:46.990]  people wanting to break things,
[50:46.990 --> 50:48.470]  right? We want to
[50:48.470 --> 50:50.710]  find flaws, we want to find problems,
[50:50.710 --> 50:52.190]  but often we don't want to find the
[50:52.190 --> 50:54.030]  solution to the problem, because that's the
[50:54.030 --> 50:55.330]  harder part.
[50:56.050 --> 50:58.150]  So I want to say that if you
[50:58.150 --> 51:01.450]  find a device that's vulnerable,
[51:02.190 --> 51:04.070]  first remember they are human lives
[51:04.070 --> 51:06.170]  at stake, okay? This is not
[51:06.170 --> 51:08.150]  an ego thing. Try and find
[51:08.150 --> 51:10.850]  the solution to the problem that you found.
[51:11.110 --> 51:12.190]  Write it up as
[51:12.190 --> 51:14.110]  you would any scientific paper.
[51:14.110 --> 51:16.130]  I know it's hard work, I know it's not glorious
[51:16.130 --> 51:18.090]  and it's not sexy,
[51:18.090 --> 51:19.970]  but when you hand that over to the
[51:19.970 --> 51:21.150]  manufacturer,
[51:21.730 --> 51:24.130]  they have all the data.
[51:24.130 --> 51:25.850]  And the more data they have, the
[51:25.850 --> 51:28.110]  faster that they can verify the claim,
[51:28.110 --> 51:30.430]  they can start acting accordingly.
[51:31.110 --> 51:31.950]  Right? It's not
[51:31.950 --> 51:33.990]  going to be easy. Not all MDMs are going to
[51:33.990 --> 51:35.830]  want to be friendly, but
[51:35.830 --> 51:37.790]  it is changing. But the biggest
[51:37.790 --> 51:39.870]  thing is the more thorough your research
[51:39.870 --> 51:42.010]  is, the less dispute
[51:42.010 --> 51:43.810]  there can be, and the more we can
[51:43.810 --> 51:45.890]  find a way to fixing it.
[51:45.890 --> 51:47.850]  But it's not all about just bug
[51:47.850 --> 51:49.490]  bounties, because I think that
[51:49.490 --> 51:51.850]  for me creates a negative thing of
[51:51.850 --> 51:54.050]  we're just finding the problems.
[51:54.290 --> 51:55.710]  We should be finding problems
[51:55.710 --> 51:57.670]  and then solving them.
[51:57.870 --> 51:59.870]  That's the hacker mindset.
[52:00.210 --> 52:01.930]  It's not just about pointing
[52:01.930 --> 52:04.390]  fingers and saying, this is a problem.
[52:04.450 --> 52:06.450]  We should be working at the solution.
[52:06.450 --> 52:07.910]  We should be finding new ways
[52:07.910 --> 52:09.810]  of doing things. So I
[52:09.810 --> 52:11.990]  want to see a lab filled with medical
[52:11.990 --> 52:13.930]  devices that hackers can pull apart
[52:13.930 --> 52:15.930]  and we can build solutions.
[52:15.930 --> 52:17.730]  But not only hackers, you need
[52:17.730 --> 52:20.050]  people like Ash, right?
[52:20.530 --> 52:21.890]  Because, I mean, we're
[52:21.890 --> 52:23.870]  good at the other side of it, but
[52:23.870 --> 52:26.150]  I can't build these devices.
[52:26.150 --> 52:28.070]  I wouldn't even know where to start.
[52:28.270 --> 52:30.350]  So I think it needs to be a multidisciplinary
[52:30.350 --> 52:31.630]  approach.
[52:32.550 --> 52:33.770]  And even people like the
[52:33.770 --> 52:35.830]  FDA, you know, should be
[52:35.830 --> 52:37.750]  involved in it from a policy
[52:37.750 --> 52:39.250]  perspective. And
[52:39.890 --> 52:41.650]  you know, everyone should just be working
[52:41.650 --> 52:43.370]  together. We should be building the bridges
[52:43.370 --> 52:44.850]  towards having synergy
[52:45.170 --> 52:47.210]  and having a space where we can
[52:47.210 --> 52:48.990]  explore this. And I think Biohack is
[52:48.990 --> 52:51.290]  awesome for that, because they already do a lot
[52:51.290 --> 52:52.250]  of that.
[52:54.720 --> 52:56.520]  Sorry, I'm going to excuse my cat,
[52:56.520 --> 52:58.860]  who just really desperately jumped into my lap.
[52:58.860 --> 53:01.260]  I was trying to prevent it and failed.
[53:01.720 --> 53:02.400]  He just
[53:02.400 --> 53:04.320]  scaled the side of the chair.
[53:04.660 --> 53:06.740]  Welcome addition to the panel.
[53:08.320 --> 53:08.800]  So
[53:08.800 --> 53:10.440]  I love the notion of
[53:10.440 --> 53:12.500]  being part of the solution, and I
[53:12.500 --> 53:14.600]  think to your point, it does require
[53:14.600 --> 53:16.620]  multiple voices. You hit on a point
[53:16.620 --> 53:18.260]  that I think is really important, right?
[53:18.260 --> 53:20.540]  You, as someone who does
[53:20.680 --> 53:22.680]  a lot of security research, is not
[53:22.680 --> 53:24.560]  totally in the space of how do
[53:24.560 --> 53:26.640]  I build a medical device? I think we similarly
[53:26.640 --> 53:28.660]  need to not have the expectation of the people
[53:28.660 --> 53:30.400]  building medical devices to
[53:30.400 --> 53:32.260]  know how to solve some of these cybersecurity
[53:32.260 --> 53:34.260]  issues. So I think having
[53:34.260 --> 53:36.640]  the willingness to partner and really
[53:36.640 --> 53:38.640]  helping them not make
[53:38.640 --> 53:40.520]  cybersecurity their number
[53:40.520 --> 53:42.540]  two core capability,
[53:42.540 --> 53:44.080]  and instead offering them solutions,
[53:44.080 --> 53:46.400]  is absolutely critical and the way to make
[53:46.400 --> 53:48.460]  things actually stick.
[53:48.840 --> 53:50.220]  So should we have solution
[53:50.220 --> 53:51.560]  bounties then?
[53:52.400 --> 53:53.280]  Yes!
[53:53.600 --> 53:55.820]  You should trademark that.
[53:57.220 --> 53:58.100]  But I just
[53:58.100 --> 54:00.440]  want to bring up just a scenario.
[54:00.440 --> 54:02.140]  So it's not just for medical devices.
[54:02.140 --> 54:04.220]  You have a medical device bug bounty,
[54:04.220 --> 54:06.380]  for example. If that's a good or a bad thing,
[54:06.380 --> 54:08.360]  we could talk hours on that.
[54:08.360 --> 54:10.340]  But you don't have the issue of patient health
[54:10.340 --> 54:12.220]  information. And so hospitals
[54:12.220 --> 54:13.300]  can't offer
[54:14.660 --> 54:16.440]  hackers to come in and poke
[54:16.440 --> 54:18.420]  around the periphery of their networks or to
[54:18.420 --> 54:20.260]  give them that type of
[54:20.260 --> 54:22.480]  experience because of a couple things. One,
[54:22.480 --> 54:24.420]  their live networks are taking care of patients
[54:24.420 --> 54:26.320]  we would hate for something bad
[54:26.320 --> 54:28.320]  to happen. But then two, there's
[54:28.320 --> 54:30.340]  so much protected health information floating
[54:30.340 --> 54:32.400]  around a hospital's network. And if
[54:32.900 --> 54:34.100]  a security researcher or hacker
[54:34.100 --> 54:36.580]  in good faith
[54:36.580 --> 54:38.780]  trying to do right finds something
[54:38.780 --> 54:40.620]  and it happens to be commingled
[54:40.620 --> 54:42.580]  with patient health information, then the
[54:42.580 --> 54:44.560]  hospital is required to report that as
[54:45.040 --> 54:46.220]  a HIPAA breach, right?
[54:46.220 --> 54:48.600]  So there are some, perhaps
[54:48.600 --> 54:50.420]  some would call barriers, perhaps
[54:50.420 --> 54:52.660]  some would call safeguards. But what I think
[54:52.660 --> 54:54.020]  it's done is it's made
[54:54.580 --> 54:55.320]  not just
[54:56.240 --> 54:58.800]  the delivery of healthcare itself
[54:58.800 --> 55:00.540]  particularly difficult
[55:00.540 --> 55:02.620]  to engage with from
[55:02.620 --> 55:04.740]  the hacker perspective. And I
[55:04.740 --> 55:06.680]  think maybe we don't have to figure out
[55:06.680 --> 55:08.740]  that solution. Maybe that's one of the solution bounties
[55:08.740 --> 55:10.940]  we should offer. How can hackers get more involved?
[55:10.940 --> 55:13.020]  Give us your ideas. But particularly
[55:13.020 --> 55:14.800]  at hospitals where we've talked
[55:14.800 --> 55:16.860]  about they don't have a lot
[55:16.860 --> 55:18.680]  of in-house security expertise, if
[55:18.680 --> 55:20.840]  anything, but yet they're still
[55:21.940 --> 55:22.720]  asked to do
[55:22.720 --> 55:24.080]  all of that work.
[55:24.280 --> 55:26.540]  How can the community come together and help them out?
[55:26.540 --> 55:29.140]  Because that could be a lot of good right there.
[55:29.320 --> 55:30.640]  One very easy answer
[55:30.640 --> 55:32.560]  to that is just working in healthcare, right?
[55:32.560 --> 55:34.400]  So I would encourage anybody who's thinking about
[55:34.520 --> 55:36.580]  a career change, if you're
[55:36.580 --> 55:38.420]  looking for an area where you can make an
[55:38.420 --> 55:40.020]  incredible impact and
[55:40.360 --> 55:41.500]  have a lot of really challenging
[55:42.340 --> 55:44.100]  problems to solve,
[55:44.100 --> 55:46.440]  consider working for a hospital or a
[55:46.440 --> 55:48.520]  healthcare delivery organization or being adjacent
[55:48.520 --> 55:50.380]  to that in some way.
[55:50.380 --> 55:52.600]  We know that some of these
[55:52.600 --> 55:54.460]  hospitals we talked about in certain areas are
[55:54.460 --> 55:56.280]  critically underserved and may not even have a
[55:56.280 --> 55:58.440]  full-time IT security professional.
[55:58.440 --> 56:00.260]  So one way to get involved is just
[56:00.260 --> 56:02.280]  to join that
[56:02.280 --> 56:03.920]  effort as an actual
[56:05.040 --> 56:06.240]  employee of a healthcare
[56:06.240 --> 56:07.440]  organization.
[56:08.600 --> 56:10.460]  I've got some specific suggestions
[56:10.460 --> 56:12.360]  I think, and it's funny that you bring up
[56:12.360 --> 56:14.440]  HIPAA and other things like that,
[56:14.440 --> 56:16.540]  because I think one of the
[56:16.540 --> 56:18.200]  best ways that
[56:18.200 --> 56:20.260]  folks like these could get involved,
[56:20.260 --> 56:22.160]  whatever,
[56:22.160 --> 56:24.320]  there are actually specific programs
[56:24.320 --> 56:25.920]  that are being offered now within
[56:25.920 --> 56:27.900]  the federal government
[56:29.000 --> 56:30.300]  that puts you
[56:30.300 --> 56:31.920]  in policymakers' offices
[56:31.920 --> 56:34.000]  and lets you be the cybersecurity expert
[56:34.000 --> 56:35.800]  in the room for those people.
[56:36.800 --> 56:38.020]  There's the Tech
[56:38.020 --> 56:40.100]  Congress Fellowship. Some of you
[56:40.100 --> 56:42.120]  may have heard of it. Some of you may have met
[56:42.120 --> 56:44.000]  some of the fellows. Chris
[56:44.000 --> 56:46.140]  Segoian, who's probably
[56:46.540 --> 56:48.100]  a well-known name for some
[56:48.100 --> 56:50.200]  of you all, was a Tech Congress fellow.
[56:50.200 --> 56:52.120]  He now works permanently for a senator
[56:52.120 --> 56:54.660]  and is that senator's tech person.
[56:54.880 --> 56:56.180]  But there's been
[56:56.180 --> 56:57.920]  dozens of others. They've
[56:57.920 --> 57:00.080]  got great folks. It's a great program.
[57:00.080 --> 57:01.980]  Places you with either a House
[57:01.980 --> 57:03.600]  office or a Senate office.
[57:05.160 --> 57:06.020]  And so that's one of the most
[57:06.020 --> 57:07.660]  direct ways that you can actually influence
[57:08.240 --> 57:09.920]  policymaking in this sense, is actually
[57:09.920 --> 57:12.380]  go be in the room when the policy is being made.
[57:12.540 --> 57:14.220]  So I would highly recommend that.
[57:14.420 --> 57:15.840]  I don't know when the application process
[57:15.840 --> 57:17.360]  opens for next year's class, but
[57:17.360 --> 57:20.020]  Travis Moore is your man, so go find Travis.
[57:20.520 --> 57:21.680]  The other thing I would mention
[57:21.680 --> 57:23.820]  is I Am the Cavalry.
[57:23.820 --> 57:25.580]  When I Am the Cavalry
[57:25.580 --> 57:27.600]  was first started, it
[57:27.600 --> 57:29.500]  was kind of this weird, kooky thing
[57:29.500 --> 57:31.580]  for the Hill, for the
[57:31.580 --> 57:33.720]  United States Congress, who's very used to dealing with
[57:33.720 --> 57:35.840]  very buttoned up
[57:36.400 --> 57:37.400]  everyone's suit and tie
[57:39.180 --> 57:39.980]  professional trade
[57:39.980 --> 57:41.560]  associations and things like that when they were
[57:41.560 --> 57:43.480]  trying to get information on whatever
[57:43.480 --> 57:45.280]  they needed to get information on.
[57:45.320 --> 57:46.940]  And I Am the Cavalry sort of just kind of like
[57:46.940 --> 57:48.740]  came up to the Hill and was just like,
[57:48.740 --> 57:52.300]  Hi! We're a bunch of cybersecurity experts. We'd like to talk to you about this.
[57:52.300 --> 57:54.240]  But the thing is,
[57:54.240 --> 57:56.060]  they're one of the most effective advocacy groups
[57:56.060 --> 57:58.240]  in national policy
[57:58.240 --> 58:00.320]  making right now, because
[58:00.320 --> 58:02.300]  they were just so...
[58:03.540 --> 58:04.300]  everyone could
[58:04.300 --> 58:06.160]  tell in a city where sometimes
[58:06.160 --> 58:07.900]  people's motivations are a little bit
[58:08.980 --> 58:09.940]  shrouded,
[58:09.940 --> 58:12.200]  that they just wanted to be there. They were there
[58:12.200 --> 58:14.140]  with good faith. They really just wanted
[58:14.140 --> 58:16.280]  to do the right thing, and they were going to answer
[58:16.280 --> 58:18.340]  whatever questions needed answering without
[58:19.200 --> 58:20.160]  bias.
[58:20.160 --> 58:22.080]  And so I know
[58:22.080 --> 58:24.060]  SEA works a ton with
[58:24.060 --> 58:25.600]  I Am the Cavalry. I know
[58:26.620 --> 58:28.080]  that Hill works a ton
[58:28.080 --> 58:30.060]  with I Am the Cavalry. And so
[58:30.060 --> 58:32.000]  if you want
[58:32.000 --> 58:33.900]  to get involved and have an opportunity to meet
[58:33.900 --> 58:35.860]  with the movers and shakers of the
[58:35.860 --> 58:37.980]  country of cybersecurity policy,
[58:37.980 --> 58:39.840]  I Am the Cavalry is another really
[58:39.840 --> 58:41.360]  great place to do that.
[58:45.240 --> 58:46.640]  I just would like to
[58:47.160 --> 58:48.680]  perhaps add that from my
[58:48.680 --> 58:50.720]  other perspective, if
[58:50.720 --> 58:52.960]  you want to get a hold of working
[58:52.960 --> 58:54.200]  in a hospital or
[58:54.740 --> 58:56.720]  getting your hands just on some medical
[58:56.720 --> 58:59.080]  equipment or just having a conversation
[58:59.080 --> 59:00.500]  with the manufacturers.
[59:01.020 --> 59:03.140]  Three years ago, I spoke at Biohack
[59:03.140 --> 59:04.640]  Village. This was my first
[59:04.640 --> 59:06.220]  DEF CON. This was my first
[59:07.020 --> 59:08.800]  ever meeting another group
[59:08.800 --> 59:10.500]  of hackers like myself.
[59:11.580 --> 59:12.820]  And that's how I
[59:12.820 --> 59:15.120]  was set on the path to do research.
[59:15.120 --> 59:16.780]  That was how I got access
[59:16.780 --> 59:18.960]  to devices. I no longer had to smuggle
[59:18.960 --> 59:20.960]  them through customs at an airport
[59:21.440 --> 59:22.940]  because I bought them on eBay
[59:22.940 --> 59:25.060]  or, you know, because you
[59:25.060 --> 59:27.340]  can't buy them in South Africa, right?
[59:27.460 --> 59:29.560]  So I would buy them in the UK.
[59:29.560 --> 59:30.900]  I could have visited a friend and
[59:30.900 --> 59:32.940]  I put them in my luggage and smuggled
[59:32.940 --> 59:34.940]  them back home so that I could work
[59:34.940 --> 59:36.800]  on them, right? Or
[59:37.200 --> 59:38.840]  even, you know, when they exploded
[59:38.840 --> 59:40.900]  my first device, I said, hey, give me,
[59:40.900 --> 59:42.920]  give me, give me. I want to have that on my doctor's
[59:42.920 --> 59:44.960]  wire, like sentimental reasons, of
[59:44.960 --> 59:46.840]  course. But
[59:46.840 --> 59:48.700]  that's how I got my hands on. But
[59:48.700 --> 59:50.720]  here I walked into a place in Vegas
[59:50.720 --> 59:52.900]  that had devices, that had a lab,
[59:52.900 --> 59:54.820]  that had everything that, you know,
[59:54.820 --> 59:56.960]  makes a young hacker's heart, you know,
[59:56.960 --> 59:58.700]  do jumps. So
[59:58.700 --> 01:00:00.860]  if that tickles your fancy, then
[01:00:00.860 --> 01:00:03.360]  that's somewhere that you should go visit,
[01:00:03.360 --> 01:00:04.860]  right? You should go try your
[01:00:04.860 --> 01:00:06.680]  hand at it. You should go
[01:00:06.680 --> 01:00:09.120]  play with those devices, speak to the manufacturers
[01:00:09.120 --> 01:00:11.340]  and go see how they implement it.
[01:00:12.100 --> 01:00:13.060]  And I mean,
[01:00:13.060 --> 01:00:14.700]  even if you're a patient, nothing
[01:00:14.700 --> 01:00:16.740]  precludes you from giving advice
[01:00:16.740 --> 01:00:18.760]  at a hospital. I mean, I've
[01:00:18.760 --> 01:00:20.760]  given advice from my ICU bed.
[01:00:20.760 --> 01:00:22.440]  There's a reason I'm not allowed a laptop
[01:00:22.440 --> 01:00:24.580]  in anymore, right? Except
[01:00:24.580 --> 01:00:27.080]  for that the doctor wants me to waste more.
[01:00:27.080 --> 01:00:28.800]  Apparently, that's the reason. But
[01:00:28.800 --> 01:00:31.160]  I mean, give advice.
[01:00:31.240 --> 01:00:32.580]  Reach out. Get
[01:00:32.580 --> 01:00:34.300]  involved. And if
[01:00:34.300 --> 01:00:36.500]  someone doesn't want to listen to you the first time,
[01:00:36.500 --> 01:00:39.020]  keep on trying, because it's a patient's game.
[01:00:39.020 --> 01:00:40.980]  Right? It's not going to happen overnight.
[01:00:41.500 --> 01:00:42.700]  I've learned. I've
[01:00:43.440 --> 01:00:44.900]  dealt with many parties
[01:00:44.900 --> 01:00:47.000]  and it's not going to happen fast
[01:00:47.000 --> 01:00:49.420]  because it's a big industry.
[01:00:50.200 --> 01:00:51.100]  Just get involved.
[01:00:51.100 --> 01:00:52.420]  Get your hands dirty.
[01:00:52.680 --> 01:00:54.900]  Because that's how we change the world.
[01:00:55.100 --> 01:00:56.800]  Every new researcher that comes in
[01:00:56.800 --> 01:00:59.360]  the fold is a new mind that thinks differently.
[01:01:00.120 --> 01:01:01.060]  And that's, I think,
[01:01:01.060 --> 01:01:03.620]  how we change things one step at a time.
[01:01:04.900 --> 01:01:07.060]  I love that, because I think the
[01:01:07.060 --> 01:01:08.780]  idiosyncratic notion that
[01:01:08.780 --> 01:01:10.800]  it takes a specific individual or
[01:01:10.800 --> 01:01:13.080]  an elite person or someone who's an expert
[01:01:13.080 --> 01:01:14.740]  to make a change
[01:01:14.740 --> 01:01:16.440]  is absolutely a misconception.
[01:01:16.780 --> 01:01:18.800]  The notion of just getting
[01:01:18.800 --> 01:01:20.960]  involved, there's no inner circle here.
[01:01:20.960 --> 01:01:22.960]  I think every person in this community
[01:01:22.960 --> 01:01:24.800]  is more than willing to share their
[01:01:24.800 --> 01:01:26.500]  network, share their expertise, and share
[01:01:26.500 --> 01:01:28.780]  whatever corner of this problem that
[01:01:28.780 --> 01:01:31.200]  they have. It's a really hard problem.
[01:01:31.260 --> 01:01:32.860]  And we need all the talent that we
[01:01:32.860 --> 01:01:34.660]  can muster up right now to
[01:01:34.660 --> 01:01:36.440]  really make a change. And I think if we
[01:01:36.440 --> 01:01:39.020]  look at the diversity of roles,
[01:01:39.020 --> 01:01:41.260]  functions, experience, thought process,
[01:01:41.260 --> 01:01:43.300]  background, education, everything,
[01:01:43.300 --> 01:01:44.900]  any under-representation
[01:01:44.900 --> 01:01:47.060]  of that population is indicative
[01:01:47.060 --> 01:01:48.680]  of missing a potential
[01:01:48.680 --> 01:01:50.920]  attack factor. And we really have to
[01:01:50.920 --> 01:01:53.140]  account for that and try to bring in as many folks
[01:01:53.140 --> 01:01:54.100]  as we can.
[01:01:54.960 --> 01:01:57.440]  Yeah, I think this is a call to arms, right?
[01:01:57.440 --> 01:01:59.100]  This is a how many hackers can
[01:01:59.100 --> 01:02:00.840]  we round up in one go?
[01:02:00.840 --> 01:02:03.660]  Not just even hackers, right?
[01:02:03.700 --> 01:02:05.100]  You know, everyone
[01:02:05.100 --> 01:02:07.080]  from physicians, from patients,
[01:02:07.080 --> 01:02:08.740]  from builders
[01:02:08.740 --> 01:02:10.520]  and policy makers. I think
[01:02:10.520 --> 01:02:12.680]  if we start breaking down the
[01:02:12.680 --> 01:02:14.700]  silos, which we've been
[01:02:14.700 --> 01:02:16.660]  functioning in, and
[01:02:16.660 --> 01:02:18.680]  independently working and start
[01:02:18.680 --> 01:02:21.000]  this collective movement,
[01:02:21.000 --> 01:02:23.280]  that's how we change the world.
[01:02:24.440 --> 01:02:25.120]  It's
[01:02:25.120 --> 01:02:26.800]  not a one-person thing.
[01:02:26.800 --> 01:02:28.840]  It's never going to be one person
[01:02:28.840 --> 01:02:30.260]  that's going to come up with the magic
[01:02:30.880 --> 01:02:32.620]  solution or the
[01:02:32.620 --> 01:02:34.320]  silver bullet, right?
[01:02:34.320 --> 01:02:36.340]  It takes more than
[01:02:36.340 --> 01:02:38.240]  one village, as I
[01:02:38.240 --> 01:02:40.540]  always say, to solve the problem.
[01:02:41.300 --> 01:02:42.580]  And I think it's time
[01:02:42.580 --> 01:02:43.660]  in 2020
[01:02:44.580 --> 01:02:46.060]  that we as a society
[01:02:46.060 --> 01:02:48.340]  pull together instead of apart.
[01:02:49.200 --> 01:02:50.160]  Because we've seen
[01:02:50.160 --> 01:02:52.640]  what a virus can do,
[01:02:52.640 --> 01:02:54.680]  right? It's locked us in our houses.
[01:02:54.680 --> 01:02:56.240]  So I think it's time we take our
[01:02:56.240 --> 01:02:58.320]  power back and we start moving the world
[01:02:58.320 --> 01:03:00.600]  into a positive future.
[01:03:01.000 --> 01:03:02.180]  Because I can tell you
[01:03:02.180 --> 01:03:03.940]  from a patient perspective, not having
[01:03:03.940 --> 01:03:06.240]  access to being able to go into a cardiologist
[01:03:06.240 --> 01:03:08.740]  office because we're afraid of COVID,
[01:03:08.740 --> 01:03:10.200]  because currently it's more dangerous
[01:03:10.200 --> 01:03:12.040]  going into a hospital.
[01:03:12.780 --> 01:03:14.360]  A denial of patient
[01:03:14.360 --> 01:03:16.260]  care is a
[01:03:16.260 --> 01:03:18.080]  non-acceptable,
[01:03:18.080 --> 01:03:20.220]  non-negotiable. I'm not going
[01:03:20.220 --> 01:03:22.240]  to stand for it. And I think we should
[01:03:22.240 --> 01:03:24.420]  be kicking down the doors and saying,
[01:03:24.420 --> 01:03:26.260]  you know, now's the time.
[01:03:26.260 --> 01:03:31.200]  Not yesterday, now.
[01:03:31.200 --> 01:03:31.740]  I love it.
[01:03:31.740 --> 01:03:33.920]  Are there any better sentiments to go out on
[01:03:33.920 --> 01:03:35.160]  than that?
[01:03:36.100 --> 01:03:36.840]  I think
[01:03:37.900 --> 01:03:39.240]  it's easy to be cynical
[01:03:39.240 --> 01:03:41.580]  about all this. And it's easy to say we're having the same
[01:03:41.580 --> 01:03:43.560]  conversations year after year and the problems
[01:03:43.560 --> 01:03:45.380]  are still there. But I mean,
[01:03:45.380 --> 01:03:47.760]  in 2015, the Biohacking Village didn't
[01:03:47.760 --> 01:03:49.260]  exist. And the idea of people
[01:03:49.260 --> 01:03:51.800]  from device manufacturers bringing stuff
[01:03:51.800 --> 01:03:53.560]  for hackers to poke
[01:03:53.560 --> 01:03:55.920]  and prod at would be laughed out of the room.
[01:03:55.920 --> 01:03:57.640]  So for people who
[01:03:57.640 --> 01:03:59.520]  don't believe that we can do awesome
[01:03:59.520 --> 01:04:01.360]  things when we work together and hang out at places
[01:04:01.360 --> 01:04:03.260]  like DEF CON,
[01:04:03.260 --> 01:04:05.300]  we have evidence to the contrary.
[01:04:05.740 --> 01:04:07.480]  I think that's about
[01:04:07.480 --> 01:04:09.540]  an hour. And I'm looking forward
[01:04:09.540 --> 01:04:11.360]  to seeing you guys in a little bit
[01:04:11.360 --> 01:04:12.920]  for a Q&A.
[01:04:14.700 --> 01:04:15.880]  Take care, everyone.
[01:04:15.880 --> 01:04:17.460]  Thank you, DEF CON, for having us.
[01:04:17.460 --> 01:04:19.160]  A shout out to Nikita,
[01:04:19.160 --> 01:04:21.900]  especially, for taking another shot at us.
[01:04:21.900 --> 01:04:23.400]  We're going to go ahead and open it up to
[01:04:23.400 --> 01:04:25.160]  Q&A here in 5,
[01:04:25.160 --> 01:04:27.620]  4, 3, 2,
[01:04:27.620 --> 01:04:28.400]  1.
